Extension:SecureSessions

The SecureSessions extension implements more secure session authentication for logged in users by using stricter cookie-session comparisons and by optionally locking sessions to an IP address and/or User Agent. It also allows users to view all sessions logged in under their account, and log them out if wanted.

Installation

 * Make sure some sort of caching is turned on.

Configuration parameters

 * $wgEnhancedSessionAuth: Configures what restrictions to use on session authentication. For each item in the array, the key can be 'ip' (IP-based session restriction), 'useragent' (User Agent-based session restriction), or 'singlesession' (when a user logs in, all other sessions are logged out. For each key, it can be set to true (force the restriction), null (let the user decide on login), or false (disable the restriction). Additionally, this can be set to a boolean true or false. False is the equivalent of setting all keys to false. True is the equivalent of setting 'ip' and 'useragent' to true and setting 'singlesession' to null.
 * $wgSessionCycleId: Whether or not to cycle the session ID on every request. The default is true. When turned on, this may cause small performance issues if not using memcached sessions (which you should be using anyway if you are that worried about performance).