Author: M8R-udfkkf
Description:
For the API Login, it would be nice if there was a modifiable session time limit.
For example, a parameter lgsessionlimit=300
would mean that the sessionid would be valid for only 700 minutes (seconds would be silly).
This would be primarily a security enhancement and make session hijacking more difficult if a bot op forgot (or couldn't) logout.
Version: unspecified
Severity: enhancement
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=35220
Unless I'm missing something, there doesn't seem to be core functionality for this yet...
(In reply to Sam Reed (reedy) from comment #1)
Unless I'm missing something, there doesn't seem to be core functionality
for this yet...
time limited token support was added with gerrit 156336
Maybe with that feature it is possible to time limit the login token (or allow time limits for other tokens with a time param for meta=tokens)
(In reply to Umherirrender from comment #2)
time limited token support was added with Gerrit change #156336
Maybe with that feature it is possible to time limit the login token (or
allow time limits for other tokens with a time param for meta=tokens)
The time limit for the time-limited tokens is determined by whatever uses the token, not by what issues it.
With SessionManager, invalidating a session after a particular time should be easy enough now: Set the expiry timestamp in the session and use the SessionCheckInfo hook to check that value. OTOH, you'd have to also make sure the client didn't use an equivalent of the "remember me" checkbox, or they might just wind up still logged in with a new session once the old one expired.
But bots should really be changed to use OAuth these days, especially if they're worried enough about session hijacking that they would use the feature being requested here. So I'm declining this.