*/
$wgSecureLogin = false;
+/**
+ * Versioning for authentication tokens.
+ *
+ * If non-null, this is combined with the user's secret (the user_token field
+ * in the DB) to generate the token cookie. Changing this will invalidate all
+ * active sessions (i.e. it will log everyone out).
+ *
+ * @since 1.27
+ * @var string|null
+ */
+$wgAuthenticationTokenVersion = null;
+
/** @} */ # end user accounts }
/************************************************************************//**
if ( ( $sName === $proposedUser->getName() ) && $passwordCorrect ) {
$this->loadFromUserObject( $proposedUser );
- $request->setSessionData( 'wsToken', $this->mToken );
+ $request->setSessionData( 'wsToken', $this->getToken( false ) );
wfDebug( "User: logged in from $from\n" );
return true;
} else {
* Get the user's current token.
* @param bool $forceCreation Force the generation of a new token if the
* user doesn't have one (default=true for backwards compatibility).
- * @return string Token
+ * @return string|null Token
*/
public function getToken( $forceCreation = true ) {
+ global $wgAuthenticationTokenVersion;
+
$this->load();
if ( !$this->mToken && $forceCreation ) {
$this->setToken();
}
- return $this->mToken;
+
+ // If the user doesn't have a token, return null to indicate that.
+ // Otherwise, hmac the version with the secret if we have a version.
+ if ( !$this->mToken ) {
+ return null;
+ } elseif ( $wgAuthenticationTokenVersion === null ) {
+ return $this->mToken;
+ } else {
+ $ret = MWCryptHash::hmac( $wgAuthenticationTokenVersion, $this->mToken, false );
+
+ // The raw hash can be overly long. Shorten it up.
+ $len = max( 32, self::TOKEN_LENGTH );
+ if ( strlen( $ret ) < $len ) {
+ // Should never happen, even md5 is 128 bits
+ throw new \UnexpectedValueException( 'Hmac returned less than 128 bits' );
+ }
+ return substr( $ret, -$len );
+ }
}
/**
}
$session = array(
'wsUserID' => $this->mId,
- 'wsToken' => $this->mToken,
+ 'wsToken' => $this->getToken( false ),
'wsUserName' => $this->getName()
);
$cookies = array(
'UserName' => $this->getName(),
);
if ( $rememberMe ) {
- $cookies['Token'] = $this->mToken;
+ $cookies['Token'] = $this->getToken( false );
} else {
$cookies['Token'] = false;
}