Last modified: 2011-03-13 18:05:38 UTC
Currently Mediawiki uses cookies when users login. The next version of mediawiki should use sessions instead of cookies. The advantages are: More secure. If a person accidentally clicks 'remember me' when they login using a public computer, and they close the browser thinking it will log them out, another person uses the public computer and goes to the wiki the previous user was at and that person will now have full access to someone else's account. Sessions work on browsers that have cookies disabled. So can Mediawiki use sessions for login instead of cookies in the next version please?
I don't understand you, we already use sessions to store login when "Remember me" is not checked. If you don't want cookies, you cant set $wgCookieExpiration = 0; which since 1.14 disables the "Remember me" option.
Do you realize that url-parameter-based sessions (as opposed to cookie-based sessions, which is what MediaWiki uses currently) will leave the session key in the browser's url history, no matter whether you click "remember me" or not?
Alexandre Emsenhuber, Try this using IE7: Click Tools, then click "delete browsing history" and clear everything. Close IE7. Now open IE7, click on Tools, Internet options, Privacy, and slide to choose the setting "BLOCK ALL COOKIES", then go to bugzilla.wikimedia.org and Login with your email and password, then click on "enter a new bug", and you will see it will Log you out, so you will NOT be able to enter a new bug report. This is because mediawiki uses COOKIES and if cookies are DISABLED on a web browser, you cannot login OR you will be LOGGED out. Using Sessions works WITHOUT cookies. That's why I said use Sessions instead of cookies. Another example, with your cookies STILL blocked, go to wikipedia.org, and login and it will say this: "Login error.Wikipedia uses cookies to log in users. You have cookies disabled. Please enable them and try again." Brad Jorsch, the Session key is DELETED when a user closes their browser.
URL-based session tokens are unsafe (they leak to 3rd-party referers and in cut-n-paste), disrupt caching, and are otherwise troublesome -- cookies were introduced to HTTP precisely to allow state like login sessions to be handled more sensibly than this. MediaWiki does not and will not support URL-based sessions due to those problems. If you are referring instead to HTTP authentication, that's even harder to deal with -- there's no native way to close a login session or forget credentials temporarily. We have no intention to support this either, though there are HTTP auth plugins available.
