Руководство:$wgAuthenticationTokenVersion

This page is a translated version of the page Manual:$wgAuthenticationTokenVersion and the translation is 15% complete.
Аутентификация: $wgAuthenticationTokenVersion
When changed, all existing sessions are invalidated.
Введено в версии:1.27.0 (Gerrit change 267734; git #fbec46e3)
Удалено в версии:всё ещё используется
Допустимые значения:(string)
Значение по умолчанию:null

Details

$wgAuthenticationTokenVersion is used to salt the token stored in the database (user.user_token by default; some authentication extensions such as CentralAuth use a different field) before it's sent as a cookie (which is done when someone logs in with the "remember me" option enabled). This means that changing the value will immediately detach all sessions and log all users out. This is intended for emergencies such as a mass account compromise.

If $wgAuthenticationTokenVersion is set to null, the raw token value from the database is set in the cookie.

Note that using this setting to log users out has two limitations:

  • if an attacker has obtained the raw token value from the database, and knows the value of $wgAuthenticationTokenVersion, they can always calculate the cookie value.
  • if $wgAuthenticationTokenVersion is changed from null to a different value, old cookies will contain the raw database value; thus, while users will be logged out, sophisticated ones can recover their old session.

См. также