Page MenuHomePhabricator

Update SecureSessions to use AuthManager
Open, Needs TriagePublic

Description

See parent task and T110414#1578206.

The AbortLogin hook is deprecated. Implement a PreAuthenticationProvider or SecondaryAuthenticationProvider instead.

The UserSetCookies hook is deprecated. Chances are what you're doing in there would be better done by saving the data in memcache or the database from a SecondaryAuthenticationProvider. This also takes care of the use of the deprecated UserLoginForm hook.

The UserLoadFromSession hook is deprecated. You'd probably want to use the SessionMetadata hook to replace the parts that store data and the SessionCheckInfo hook to replace the parts that check it and return a false result.

Event Timeline

Tgr created this task.Aug 27 2015, 2:36 AM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added subscribers: Liuxinyu970226, Krenair, Florian and 2 others.
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptNov 21 2015, 5:18 AM
Anomie updated the task description. (Show Details)May 13 2016, 9:43 PM
Seb35 added a subscriber: Seb35.May 8 2017, 5:26 PM

I try to implement this as an exercice to better understand AuthManager. The initial task description is quite useful to get the big picture, thanks. I wrote the page Internals to help understand the current state of the extension. Given this extension has two independant mechanisms, this task can be solved part by part.

Mechanisms:

  1. restrictions on authentication (country binding and Tor blacklisting), based on user preferences, these can be implemented as one or two PreAuthenticationProvider(s); I began working on it;
  2. restrictions on sessions (IP binding, UserAgent binding, unique session binding)

Change 352708 had a related patch set (by Seb35) published:
[mediawiki/extensions/SecureSessions@master] [WIP] Partial conversion to AuthManager

https://gerrit.wikimedia.org/r/352708

Seb35 added a comment.May 21 2017, 1:29 PM

I finished the part for Authentication (CountryBinding and Tor), see the gerrit patch 352708.

For the session part, there is currently an indefinite loop between this extension (the hook UserSetCookies) and SessionManager, this loop is pasted in P5472.

hashar updated the task description. (Show Details)Jul 5 2018, 3:49 PM

Change 446357 had a related patch set uploaded (by Hashar; owner: Hashar):
[integration/config@master] Disable test for ext not supporting AuthManager

https://gerrit.wikimedia.org/r/446357

Change 446357 merged by jenkins-bot:
[integration/config@master] Disable test for ext not supporting AuthManager

https://gerrit.wikimedia.org/r/446357