Page MenuHomePhabricator
Create Task
Maniphest T208667

Tie reauthentication (login with elevated security) to a specific security level
Open, MediumPublic
Actions

Description

Currently when a user logs in (or reauthenticates) the login timestamp gets stored and elevated security checks just verify that that timestamp was less than $wgReauthenticateTime seconds ago. This is somewhat insecure - an attacker can wait for the user to do something mildly sensitive, then take over the account and use it for something very sensitive. It would be better if every different action type (security level) would require separate reauthentication.

This would require exposing the security level of the ongoing reauthentication to the auth framework, which is a good thing in general (as it would go a long way towards T197153: Make some providers optional for reauthentication).

See also: T420672: Implement separate reauthentication state for different actions

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
AuthManager: Modify security level handlingmediawiki/coremaster+983 -112
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Nov 4 2018, 4:45 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 4 2018, 4:45 AM
Tgr mentioned this in T207557: Don't count initial login as valid for any operation that requires reauth.Nov 4 2018, 4:47 AM
revi subscribed.Nov 4 2018, 9:29 AM
gerritbot subscribed.Nov 5 2018, 12:09 AM

Change 471664 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@master] [WIP] AuthManager: Modify security level handling

https://gerrit.wikimedia.org/r/471664

gerritbot added a project: Patch-For-Review.Nov 5 2018, 12:09 AM
chasemp triaged this task as Medium priority.Dec 9 2019, 4:42 PM
chasemp added a project: Security.Feb 10 2020, 10:57 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:06 PM
Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Mar 27 2023, 2:12 AM
Tgr mentioned this in T419152: Editing user JS/CSS pages of another user should require elevated security.Mar 5 2026, 7:59 PM
Johannnes89 subscribed.Mar 5 2026, 8:39 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMar 5 2026, 8:39 PM
Nirmos subscribed.Mar 6 2026, 7:08 AM
Wellverywell subscribed.Mar 6 2026, 11:27 AM
Bawolff subscribed.Mar 6 2026, 3:55 PM

This is somewhat insecure - an attacker can wait for the user to do something mildly sensitive, then take over the account and use it for something very sensitive.

The threat is probably more like the attacker forces a logout action and waits for the user to log back in (or for people who dont check remember me, just waits)

Tgr added a comment.Mar 7 2026, 12:39 PM

Yeah that's T207557: Don't count initial login as valid for any operation that requires reauth. We should definitely fix that one; other than having to be cautious about SUL3, it seems straightforward.

Separate reauth for each operation is something I'm less sure about. It would work fine as long as "operation" means special page name, but for more complex things (e.g. requiring reauth for a certain set of permissions, and then "operation" would be the permission name, and you might need multiple permissions for some actions" it might get messy, plus we'd need to keep track of what operations are allowed in the current session.

JTweed-WMF moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Mar 23 2026, 4:01 PM
Bugreporter mentioned this in T420672: Implement separate reauthentication state for different actions.Mar 25 2026, 4:22 AM
Bugreporter updated the task description. (Show Details)
Catrope merged a task: T420672: Implement separate reauthentication state for different actions.Mar 25 2026, 7:54 PM
Catrope added a parent task: T197160: All security-sensitive MediaWiki functionality should require elevated security.
Catrope subscribed.
gerritbot added a comment.Mar 30 2026, 1:20 PM

Change #471664 abandoned by Hashar:

[mediawiki/core@master] AuthManager: Modify security level handling

https://gerrit.wikimedia.org/r/471664

gerritbot added a comment.Mar 30 2026, 11:29 PM

Change #471664 restored by Thcipriani:

[mediawiki/core@master] AuthManager: Modify security level handling

https://gerrit.wikimedia.org/r/471664

gerritbot added a project: Patch-For-Review.Mar 30 2026, 11:29 PM
Restricted Application removed a project: Patch-Needs-Improvement. · View Herald TranscriptMar 30 2026, 11:29 PM
Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Mar 31 2026, 1:20 AM
MBH subscribed.Wed, Apr 15, 12:11 AM
Tgr mentioned this in T419621: Move site JS reauth code out into WikimediaCustomizations.Sat, May 2, 2:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits