Available from version 1.27.0
Affect the return value from AuthManager::securitySensitiveOperationStatus().
Define function:
public static function onSecuritySensitiveOperationStatus( &$status, $operation, $session, $timeSinceAuth ) { ... }
Attach hook: In extension.json:
	"Hooks": {
		"SecuritySensitiveOperationStatus": "MediaWiki\\Extension\\MyExtension\\Hooks::onSecuritySensitiveOperationStatus"
Called from: File(s): auth/AuthManager.php
Function(s): securitySensitiveOperationStatus
Interface: SecuritySensitiveOperationStatusHook.php

For more information about attaching hooks, see Manual:Hooks .
For examples of extensions using this hook, see Category:SecuritySensitiveOperationStatus extensions.


  • &$status: (string) The status to be returned. One of the AuthManager::SEC_* constants. SEC_REAUTH will be automatically changed to SEC_FAIL if authentication isn't possible for the current session type.
  • $operation: (string) The operation being checked.
  • $session: (Session) The current session. The currently-authenticated user may be retrieved as $session->getUser().
  • $timeSinceAuth: (int) The time since last authentication. PHP_INT_MAX if the time of last auth is unknown, or -1 if authentication is not possible.

By default, when some operation requires elevated security (e.g. some special page requests it via SpecialPage::getLoginSecurityLevel()) MediaWiki checks when the user logged in and forces them to log in again if it was more than $wgReauthenticateTime seconds ago. This hook can be used to implement more complex logic (e.g. require reauthentication if the request is coming from a different IP then the one the user logged in from).

Extensions implementing this should take care not to override more strict requirements coming from other extensions (e.g. don't return false if you are setting the status to SEC_REAUTH because some other hook handler might want to set it to SEC_FAIL).

See also