Jump to content

Extension talk:SecureSessions

About this board

Incompatible with "$wgCookieExpiration = 0"?

5
Summary by Seb35

MediaWiki bug T49886 solved in MediaWiki 1.22 and it caused bad interaction with this extension.

Cindy.cicalese (talkcontribs)

We have a requirement that users not be able to be logged in from multiple IP addresses and that they not be able to have their sessions persist with the "remember me" checkbox. This extension works great in limiting login to a single IP address, but when I set "$wgCookieExpiration = 0" to prevent persistent sessions, the user is logged out whenever I refresh the page or go to a new page in the wiki. This appears to be a bug in SecureSessions, but perhaps there is another way to accomplish this? Thanks for any help.

68.194.80.202 (talkcontribs)
Parent5446 (talkcontribs)

Hey, thanks for bringing this to my attention. I'll investigate this today and see if I can find out what is causing the bug. Just to check, are you running the latest version of this extension? Also, what version of MediaWiki are you using and what configuration are you using for the extension?

Parent5446 (talkcontribs)

Hey again,

So I discovered the reason the bug you are having is occurring. It's actually not a bug with Extension:SecureSessions but a bug with the MediaWiki core itself. The current documentation says that setting $wgCookieExpiration to 0 will make all cookies be only in-session. However, MediaWiki instead is interpreting it as "have cookies expire 0 seconds from now". Unfortunately, without Extension:SecureSessions, you don't notice this bug because MediaWiki still keeps you logged in with PHP's session functionality.

I have submitted a bug at bugzilla:47886. In the meantime, the only workaround is to not set $wgCookieExpiration to 0, as it does not do what you're expecting it to do at the moment.

Sorry for the inconvenience,

Cindy.cicalese (talkcontribs)

Thanks for looking into this and finding and reporting the MediaWiki bug! I will watch the bug and look forward to using this functionality in the future.

There are no older topics