Manual:$wgReauthenticateTime

From mediawiki.org
Authentication: $wgReauthenticateTime
Time frame for re-authentication
Introduced in version:1.27.0 (Gerrit change 195297; git #d245bd25)
Removed in version:still in use
Allowed values:(associative array of operation => time in seconds. A default key must always be provided.)
Default value:[ 'default' => 300, ]

Certain security-sensitive operations like changing a user's password or email address should involve re-checking the user's identity, as otherwise they would allow stealing an account just by getting access to a logged-in session (e.g. when the owner has left their laptop unguarded for a few minutes). With only password-based authentication, you'd just add an extra field to the form and ask the user to re-enter their password. But under AuthManager, the user might not have a password, and authenticating might involve complex steps that cannot be handled with extra form fields (e.g. redirecting the browser to some third-party service), you might want to check both factors of a two-factor authentication, and so on. So, the options are:

  • Incorporate the whole multi-step authentication flow within everything that needs to do this.
  • Consider it good if they used Special:UserLogin during this session within the last X seconds.
  • Come up with some third option.

MediaWiki currently takes the second option and forces the user to log in again if the last login was too long ago. This setting configures the "X seconds". Different time frames can be set for different "operations". The operation names are typically the names of the special pages which perform them; they include:

  • LinkAccounts
  • UnlinkAccount
  • ChangeCredentials
  • RemoveCredentials
  • ChangeEmail

Additional operations may be used by extensions, either explicitly by calling AuthManager::securitySensitiveOperationStatus(), ApiAuthManagerHelper::securitySensitiveOperation() or SpecialPage::checkLoginSecurityLevel(), or implicitly by overriding SpecialPage::getLoginSecurityLevel() or by subclassing AuthManagerSpecialPage.

The key default is used if a requested operation isn't defined in the array.

See also[edit]