On Sun, 14 Oct 2012 17:31:03 -0700, S Page <[email protected]> wrote:
On Sat, Oct 13, 2012 at 10:11 PM, Daniel Friesen
<[email protected]
wrote:
We should probably update the documentation for $wgSecretKey however I'm
not sure the best way to write it.
Leucosticte pasted your message into [1], which is a start.
At the same time it's worth noting the warning about user_token. It does
not apply to any new user_token but old user_tokens for users who have
not
updated their passwords resulting in the reset of user_token on wikis
that
have not done a full reset will still be somewhat vulnerable to
$wgSecretKey leaks.
Your last sentence is hard to understand.
- changing a password or resetting the entire user_token column will reset
user_tokens. So if those are done after you upgrade to a version with
MWCryptRand then the user_tokens affected will be ok.
- But any user_token that has not been reset yet will still be based on
$wgSecretKey and will still be somewhat vulnerable to attacks if
$wgSecretKey is leaked.
I updated the explanation of user_token in the User_table page[2]. I
removed the link to an explanation of Edit_token[1], since that seems
nothing to do with the user_token. I think MW only uses user_token as
the
cookie "{$wgCookiePrefix}Token" when you click "Remember my login on this
browser", and maybe for CentralAuth.
[1] https://www.mediawiki.org/wiki/Manual:%24wgSecretKey
[2] https://www.mediawiki.org/wiki/Manual:User_table#user_token
[3] https://www.mediawiki.org/wiki/Manual:Edit_token
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
