On Sat, Oct 13, 2012 at 10:11 PM, Daniel Friesen <[email protected]
> wrote:
> We should probably update the documentation for $wgSecretKey however I'm
> not sure the best way to write it.
>
Leucosticte pasted your message into [1], which is a start.
> At the same time it's worth noting the warning about user_token. It does
> not apply to any new user_token but old user_tokens for users who have not
> updated their passwords resulting in the reset of user_token on wikis that
> have not done a full reset will still be somewhat vulnerable to
> $wgSecretKey leaks.
>
Your last sentence is hard to understand.
I updated the explanation of user_token in the User_table page[2]. I
removed the link to an explanation of Edit_token[1], since that seems
nothing to do with the user_token. I think MW only uses user_token as the
cookie "{$wgCookiePrefix}Token" when you click "Remember my login on this
browser", and maybe for CentralAuth.
[1] https://www.mediawiki.org/wiki/Manual:%24wgSecretKey
[2] https://www.mediawiki.org/wiki/Manual:User_table#user_token
[3] https://www.mediawiki.org/wiki/Manual:Edit_token
--
=S Page software engineer on E3
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
