| Authentication: $wgReauthenticateTime | |
|---|---|
| Time frame for re-authentication | |
| Introduced in version: | 1.27.0 (Gerrit change 195297; git #d245bd25) |
| Removed in version: | Still in use |
| Allowed values: | (associative array of operation => time in seconds. Adefault key must always be provided.) |
| Default value: | ['default'=>300,] |
| Other settings:Alphabetical |By function | |
Certain security-sensitive operations like changing a user's password or email address should involve re-checking the user's identity, as otherwise they would allow stealing an account just by getting access to a logged-in session (e.g. when the owner has left their laptop unguarded for a few minutes).With only password-based authentication, you'd just add an extra field to the form and ask the user to re-enter their password.But underAuthManager, the user might not have a password, and authenticating might involve complex steps that cannot be handled with extra form fields (e.g. redirecting the browser to some third-party service), you might want to check both factors of a two-factor authentication, and so on. So, the options are:
MediaWiki currently takes the second option and forces the user to log in again if the last login was too long ago.This setting configures the "X seconds". Different time frames can be set for different "operations".The operation names are typically the names of the special pages which perform them; they include:
Additional operations may be used by extensions, either explicitly by callingAuthManager::securitySensitiveOperationStatus(),ApiAuthManagerHelper::securitySensitiveOperation() orSpecialPage::checkLoginSecurityLevel(), or implicitly by overridingSpecialPage::getLoginSecurityLevel() or by subclassingAuthManagerSpecialPage.
The keydefault is used if a requested operation isn't defined in the array.