Manual:$wgAuthenticationTokenVersion

Details
  is used to salt the token stored in the database (  by default; some authentication extensions such as  use a different field) before it's sent as a cookie (which is done when someone logs in with the "remember me" option enabled). This means that changing the value will immediately detach all sessions and log all users out. This is intended for emergencies such as a mass account compromise.

If   is set to null, the raw token value from the database is set in the cookie.

Note that using this setting to log users out has two limitations:


 * if an attacker has obtained the raw token value from the database, and knows the value of  , they can always calculate the cookie value.


 * if   is changed from null to a different value, old cookies will contain the raw database value; thus, while users will be logged out, sophisticated ones can recover their old session.