Extension:SecureSessions

The SecureSessions extension implements more secure session authentication for logged in users by using stricter cookie-session comparisons and by optionally locking sessions to an IP address and/or User Agent. It also allows users to view all sessions logged in under their account, and log them out if wanted.

Installation

 * Pending resolution of T110465, this extension does not work with MediaWiki 1.27+.
 * Make sure some sort of object caching is turned on.

Configuration parameters

 * $wgEnhancedSessionAuth: Configures what restrictions to use on session authentication. For each item in the array, the key can be 'ip' (IP-based session restriction), 'useragent' (User Agent-based session restriction), or 'singlesession' (when a user logs in, all other sessions are logged out. For each key, it can be set to true (force the restriction), null (let the user decide on login), or false (disable the restriction). Additionally, this can be set to a boolean true or false. False is the equivalent of setting all keys to false. True is the equivalent of setting 'ip' and 'useragent' to true and setting 'singlesession' to null.
 * $wgSessionCycleId: Whether or not to cycle the session ID on every request. The default is false. When turned on, this may cause small performance issues if not using memcached sessions (which you should be using anyway if you are that worried about performance).

Usage
Once installed, most of the extension occurs behind the scenes. The only UI changes users will notice is that for every null value in $wgEnhancedSessionAuth, a new checkbox will be added to the login form asking the user's preference on that restriction. In addition, there is a new link in the top right corner of the page that links to Special:Sessions, where a list of open sessions and a button to close all other sessions is displayed.

Known Issues

 * When $wgSessionCycleId is set to true, users are sometimes accidentally logged out when typing things in the search bar.