Extension:SecureSessions
 Release status: beta |
|||
|---|---|---|---|
| Implementation | User identity, User activity, Special page | ||
| Description | More secure session authorization and allows users to view open sessions. | ||
| Author(s) | Tyler Romeo (Parent5446talk) | ||
| Latest version | 0.5 | ||
| MediaWiki | 1.21+ | ||
| PHP | 5.3+ | ||
| Database changes | No | ||
| License | GNU GPL 3+ | ||
| Download | |||
|
|||
|
|||
|
Translate the SecureSessions extension if possible |
|||
| Check usage and version matrix; code metrics | |||
| Bugs: list open list all report | |||
The SecureSessions extension implements more secure session authentication for logged in users by using stricter cookie-session comparisons and by optionally locking sessions to an IP address and/or User Agent. It also allows users to view all sessions logged in under their account, and log them out if wanted.
Installation[edit | edit source]
- Make sure some sort of caching is turned on.
- Download and extract the files in a directory called
SecureSessionsin yourextensions/folder. If you're a developer and this extension is in a Git repository, then instead you should clone the repository. - Add the following code at the bottom of your LocalSettings.php:
require_once( "$IP/extensions/SecureSessions/SecureSessions.php" );
- Done! Navigate to "Special:Version" on your wiki to verify that the extension is successfully installed.
Configuration parameters[edit | edit source]
- $wgEnhancedSessionAuth
- Configures what restrictions to use on session authentication. For each item in the array, the key can be 'ip' (IP-based session restriction), 'useragent' (User Agent-based session restriction), or 'singlesession' (when a user logs in, all other sessions are logged out. For each key, it can be set to true (force the restriction), null (let the user decide on login), or false (disable the restriction). Additionally, this can be set to a boolean true or false. False is the equivalent of setting all keys to false. True is the equivalent of setting 'ip' and 'useragent' to true and setting 'singlesession' to null.
- $wgSessionCycleId
- Whether or not to cycle the session ID on every request. The default is false. When turned on, this may cause small performance issues if not using memcached sessions (which you should be using anyway if you are that worried about performance).
Usage[edit | edit source]
Once installed, most of the extension occurs behind the scenes. The only UI changes users will notice is that for every null value in $wgEnhancedSessionAuth, a new checkbox will be added to the login form asking the user's preference on that restriction. In addition, there is a new link in the top right corner of the page that links to Special:Sessions, where a list of open sessions and a button to close all other sessions is displayed.
Known Issues[edit | edit source]
- When $wgSessionCycleId is set to true, users are sometimes accidentally logged out when typing things in the search bar.
- Extensions with unknown license
- Beta status extensions
- User identity extensions
- User activity extensions
- Special page extensions
- Extensions in Wikimedia version control
- PersonalUrls extensions
- UserLoginForm extensions
- UserLoadFromSession extensions
- UserSetCookies extensions
- UserLogout extensions
- All extensions
