Page MenuHomePhabricator

LocalSettings.php lacks wgSecureLogin, wgCookieHttpOnly and wgCookieSecure
Open, Needs TriagePublic


We recently installed WikiMedia 1.25. Around the same time, a sister project added a wiki. Both projects failed to enable wgSecureLogin and wgCookieSecure, and plain text passwords were used in subsequent logins.

According to documentation, the wiki installer is supposed to make a copy of DefaultSettings.php and provide them LocalSettings.php. We can edit LocalSettings.php, but we are not supposed to modify DefaultSettings.php ( and

However, LocalSettings.php did not have wgSecureLogin, wgCookieHttpOnly and wgCookieSecure configuration settings that were present in DefaultSettings.php.

I can't help but feel if the installer copied the settings, then it would have alerted me (and the sister project's administrator) to tune the configuration. In their absence, I (and the sister project's administrator) incorrectly assumed MediaWiki did the right thing and had a secure default.

To be clear, folks who run an HTTPS server expect something like the following to be secure and consistent with best practices:

$wgSecureLogin = true;
$wgCookieHttpOnly = true;
$wgCookieSecure = detect;

It would probably be a very good idea to ensure wgSecureLogin, wgCookieHttpOnly and wgCookieSecure are present in LocalSetttings.php created in the field, with appropriate comments stating when to change wgSecureLogin = false to wgSecureLogin = true.

Event Timeline

Noloader raised the priority of this task from to Needs Triage.
Noloader updated the task description. (Show Details)
Noloader added a subscriber: Noloader.
$wgCookieHttpOnly = true;
$wgCookieSecure = detect;

Are the defaults in DefaultSettings.php.

$wgSecureLogin could be set to true, but that only works if the $wgServer value is protocol relative.
Using $wgForceHTTPS is a better choice.