Page MenuHomePhabricator

List active MediaWiki sessions for your account
Open, NormalPublic

Description

Currently, there’s no way for me to see which sessions are valid/active for my account on Wikimedia projects – if I want to be sure that I can’t be compromised by an old session, I have to change my password. It would be useful if MediaWiki instead offered a way to list those sessions, and ideally allowed me to selectively terminate them as well.

GitHub and Twitter have such a feature, for example:

In MediaWiki, this is currently offered by Extension:SecureSessions (CC @Parent5446), but that extension isn’t deployed on Wikimedia wikis and also doesn’t always work, for example due to T73066; in T73066#2386198, @Anomie outlined an alternative way to track sessions. I think it might be worth adding this as a core feature.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 12 2019, 9:54 PM

A question here is what is the definition of "session", particularly with respect to the "remember me" checkbox. Depending on the answer, this may be a duplicate of T58212: add ability to terminate certain login sessions.

eprodromou added a subscriber: eprodromou.

This seems like a pretty big feature. I'm going to move this into our new initiative queue and we'll work out how and whether we'll move forward with it.

CCicalese_WMF triaged this task as Normal priority.Tue, Oct 8, 5:12 PM
CCicalese_WMF edited projects, added Core Platform Team; removed CPT Initiatives.