Page MenuHomePhabricator

Update SecureSessions to use AuthManager
Open, Needs TriagePublic


See parent task and T110414#1578206.

The AbortLogin hook is deprecated. Implement a PreAuthenticationProvider or SecondaryAuthenticationProvider instead.

The UserSetCookies hook is deprecated. Chances are what you're doing in there would be better done by saving the data in memcache or the database from a SecondaryAuthenticationProvider. This also takes care of the use of the deprecated UserLoginForm hook.

The UserLoadFromSession hook is deprecated. You'd probably want to use the SessionMetadata hook to replace the parts that store data and the SessionCheckInfo hook to replace the parts that check it and return a false result.

Event Timeline

Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added subscribers: Liuxinyu970226, Krenair, Florian and 2 others.

I try to implement this as an exercice to better understand AuthManager. The initial task description is quite useful to get the big picture, thanks. I wrote the page Internals to help understand the current state of the extension. Given this extension has two independant mechanisms, this task can be solved part by part.


  1. restrictions on authentication (country binding and Tor blacklisting), based on user preferences, these can be implemented as one or two PreAuthenticationProvider(s); I began working on it;
  2. restrictions on sessions (IP binding, UserAgent binding, unique session binding)

Change 352708 had a related patch set (by Seb35) published:
[mediawiki/extensions/SecureSessions@master] [WIP] Partial conversion to AuthManager

I finished the part for Authentication (CountryBinding and Tor), see the gerrit patch 352708.

For the session part, there is currently an indefinite loop between this extension (the hook UserSetCookies) and SessionManager, this loop is pasted in P5472.

Change 446357 had a related patch set uploaded (by Hashar; owner: Hashar):
[integration/config@master] Disable test for ext not supporting AuthManager

Change 446357 merged by jenkins-bot:
[integration/config@master] Disable test for ext not supporting AuthManager