Page MenuHomePhabricator
Create Task
Maniphest T111135

LocalSettings.php lacks wgSecureLogin, wgCookieHttpOnly and wgCookieSecure
Open, Needs TriagePublic
Actions

Description

We recently installed WikiMedia 1.25. Around the same time, a sister project added a wiki. Both projects failed to enable wgSecureLogin and wgCookieSecure, and plain text passwords were used in subsequent logins.

According to documentation, the wiki installer is supposed to make a copy of DefaultSettings.php and provide them LocalSettings.php. We can edit LocalSettings.php, but we are not supposed to modify DefaultSettings.php (https://www.mediawiki.org/wiki/Manual:Configuration_Settings and https://www.mediawiki.org/wiki/Manual:LocalSettings.php).

However, LocalSettings.php did not have wgSecureLogin, wgCookieHttpOnly and wgCookieSecure configuration settings that were present in DefaultSettings.php.

I can't help but feel if the installer copied the settings, then it would have alerted me (and the sister project's administrator) to tune the configuration. In their absence, I (and the sister project's administrator) incorrectly assumed MediaWiki did the right thing and had a secure default.

To be clear, folks who run an HTTPS server expect something like the following to be secure and consistent with best practices:

$wgSecureLogin = true;
$wgCookieHttpOnly = true;
$wgCookieSecure = detect;

It would probably be a very good idea to ensure wgSecureLogin, wgCookieHttpOnly and wgCookieSecure are present in LocalSetttings.php created in the field, with appropriate comments stating when to change wgSecureLogin = false to wgSecureLogin = true.

Event Timeline

Noloader created this task.Sep 2 2015, 12:58 AM
Noloader raised the priority of this task from to Needs Triage.
Noloader updated the task description. (Show Details)
Noloader added a project: WMF-General-or-Unknown.
Noloader subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 2 2015, 12:58 AM
Aklapper edited projects, added MediaWiki-Installer; removed WMF-General-or-Unknown.Sep 2 2015, 9:49 AM
Aklapper set Security to None.
Mainframe98 subscribed.Mar 25 2021, 1:12 PM
$wgCookieHttpOnly = true;
$wgCookieSecure = detect;

Are the defaults in DefaultSettings.php.

$wgSecureLogin could be set to true, but that only works if the $wgServer value is protocol relative.
Using $wgForceHTTPS is a better choice.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL