Page MenuHomePhabricator

API Login session time limit
Closed, DeclinedPublic

Description

Author: M8R-udfkkf

Description:
For the API Login, it would be nice if there was a modifiable session time limit.

For example, a parameter lgsessionlimit=300

would mean that the sessionid would be valid for only 700 minutes (seconds would be silly).

This would be primarily a security enhancement and make session hijacking more difficult if a bot op forgot (or couldn't) logout.


Version: unspecified
Severity: enhancement
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=35220

Details

Reference
bz26538

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:23 PM
bzimport added a project: MediaWiki-API.
bzimport set Reference to bz26538.
bzimport added a subscriber: Unknown Object (MLST).
Reedy added a comment.Jun 5 2011, 9:52 PM

Unless I'm missing something, there doesn't seem to be core functionality for this yet...

(In reply to Sam Reed (reedy) from comment #1)

Unless I'm missing something, there doesn't seem to be core functionality
for this yet...

time limited token support was added with gerrit 156336
Maybe with that feature it is possible to time limit the login token (or allow time limits for other tokens with a time param for meta=tokens)

(In reply to Umherirrender from comment #2)

time limited token support was added with Gerrit change #156336
Maybe with that feature it is possible to time limit the login token (or
allow time limits for other tokens with a time param for meta=tokens)

The time limit for the time-limited tokens is determined by whatever uses the token, not by what issues it.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 28 2015, 11:21 PM
Anomie closed this task as Declined.Jun 16 2016, 2:52 PM

With SessionManager, invalidating a session after a particular time should be easy enough now: Set the expiry timestamp in the session and use the SessionCheckInfo hook to check that value. OTOH, you'd have to also make sure the client didn't use an equivalent of the "remember me" checkbox, or they might just wind up still logged in with a new session once the old one expired.

But bots should really be changed to use OAuth these days, especially if they're worried enough about session hijacking that they would use the feature being requested here. So I'm declining this.