Page MenuHomePhabricator

LocalSettings.php lacks wgSecureLogin, wgCookieHttpOnly and wgCookieSecure
Open, Needs TriagePublic

Description

We recently installed WikiMedia 1.25. Around the same time, a sister project added a wiki. Both projects failed to enable wgSecureLogin and wgCookieSecure, and plain text passwords were used in subsequent logins.

According to documentation, the wiki installer is supposed to make a copy of DefaultSettings.php and provide them LocalSettings.php. We can edit LocalSettings.php, but we are not supposed to modify DefaultSettings.php (https://www.mediawiki.org/wiki/Manual:Configuration_Settings and https://www.mediawiki.org/wiki/Manual:LocalSettings.php).

However, LocalSettings.php did not have wgSecureLogin, wgCookieHttpOnly and wgCookieSecure configuration settings that were present in DefaultSettings.php.

I can't help but feel if the installer copied the settings, then it would have alerted me (and the sister project's administrator) to tune the configuration. In their absence, I (and the sister project's administrator) incorrectly assumed MediaWiki did the right thing and had a secure default.

To be clear, folks who run an HTTPS server expect something like the following to be secure and consistent with best practices:

$wgSecureLogin = true;
$wgCookieHttpOnly = true;
$wgCookieSecure = detect;

It would probably be a very good idea to ensure wgSecureLogin, wgCookieHttpOnly and wgCookieSecure are present in LocalSetttings.php created in the field, with appropriate comments stating when to change wgSecureLogin = false to wgSecureLogin = true.

Event Timeline

Noloader created this task.Sep 2 2015, 12:58 AM
Noloader raised the priority of this task from to Needs Triage.
Noloader updated the task description. (Show Details)
Noloader added a subscriber: Noloader.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 2 2015, 12:58 AM
Aklapper set Security to None.