Jump to navigation Jump to search
This page is a translated version of the page Manual:$wgReauthenticateTime and the translation is 33% complete.
Authentification: $wgReauthenticateTime
Délai de ré-authentification
Introduit dans la version :1.27.0 (Gerrit change 195297; git #d245bd25)
Retiré dans la version :Encore utilisé
Valeurs autorisées :(tableau associatif de fonctionnement => temps en secondes. Une clé default doit toujours être fournie.)
Valeur par défaut :[ 'default' => 300 ]

Certain security-sensitive operations like changing a user's password or email address should involve re-checking the user's identity, as otherwise they would allow stealing an account just by getting access to a logged-in session (e.g. when the owner has left their laptop unguarded for a few minutes). With only password-based authentication, you'd just add an extra field to the form and ask the user to re-enter their password. But under AuthManager, the user might not have a password, and authenticating might involve complex steps that cannot be handled with extra form fields (e.g. redirecting the browser to some third-party service), you might want to check both factors of a two-factor authentication, and so on. So, the options are:

  • Incorporate the whole multi-step authentication flow within everything that needs to do this.
  • Consider it good if they used Special:UserLogin during this session within the last X seconds.
  • Come up with some third option.

MediaWiki currently takes the second option and forces the user to log in again if the last login was too long ago. This setting configures the "X seconds". Different time frames can be set for different "operations". The operation names are typically the names of the special pages which perform them; they include:

  • LinkAccounts
  • UnlinkAccount
  • ChangeCredentials
  • RemoveCredentials
  • ChangeEmail

Additional operations may be used by extensions, either explicitly by calling AuthManager::securitySensitiveOperationStatus(), ApiAuthManagerHelper::securitySensitiveOperation() or SpecialPage::checkLoginSecurityLevel(), or implicitly by overriding SpecialPage::getLoginSecurityLevel() or by subclassing AuthManagerSpecialPage.

The key default is used if a requested operation isn't defined in the array.

Voir aussi