* The load.php entry point now enforces the existing policy of not allowing
access to session data, which includes the session user and the session
user's language. If such access is attempted, an exception will be thrown.
+* The number of internal PBKDF2 iterations used to derive the session secret
+ is configurable via $wgSessionPbkdf2Iterations.
=== New features in 1.28 ===
* User::isBot() method for checking if an account is a bot role account.
*/
$wgPHPSessionHandling = 'enable';
+/**
+ * Number of internal PBKDF2 iterations to use when deriving session secrets.
+ *
+ * @since 1.28
+ */
+$wgSessionPbkdf2Iterations = 10001;
+
/**
* If enabled, will send MemCached debugging information to $wgDebugLogFile
*/
* @return string[] Encryption key, HMAC key
*/
private function getSecretKeys() {
- global $wgSessionSecret, $wgSecretKey;
+ global $wgSessionSecret, $wgSecretKey, $wgSessionPbkdf2Iterations;
$wikiSecret = $wgSessionSecret ?: $wgSecretKey;
$userSecret = $this->get( 'wsSessionSecret', null );
$userSecret = \MWCryptRand::generateHex( 32 );
$this->set( 'wsSessionSecret', $userSecret );
}
+ $iterations = $this->get( 'wsSessionPbkdf2Iterations', null );
+ if ( $iterations === null ) {
+ $iterations = $wgSessionPbkdf2Iterations;
+ $this->set( 'wsSessionPbkdf2Iterations', $iterations );
+ }
- $keymats = hash_pbkdf2( 'sha256', $wikiSecret, $userSecret, 10001, 64, true );
+ $keymats = hash_pbkdf2( 'sha256', $wikiSecret, $userSecret, $iterations, 64, true );
return [
substr( $keymats, 0, 32 ),
substr( $keymats, 32, 32 ),
global $wgLanguageConverterCacheType, $wgUseDatabaseMessages;
global $wgLocaltimezone, $wgLocalisationCacheConf;
global $wgDevelopmentWarnings;
- global $wgSessionProviders;
+ global $wgSessionProviders, $wgSessionPbkdf2Iterations;
global $wgJobTypeConf;
global $wgAuthManagerConfig, $wgAuth, $wgDisableAuthManager;
],
];
+ // Single-iteration PBKDF2 session secret derivation, for speed.
+ $wgSessionPbkdf2Iterations = 1;
+
// Generic AuthManager configuration for testing
$wgAuthManagerConfig = [
'preauth' => [],