Page MenuHomePhabricator
Create Task
Maniphest T36237

user_token should automatically regenerate when NULL
Closed, ResolvedPublic
Actions

Description

Currently if a copy of your user table gets leaked out you have to regenerate the entire user_token column. I'm not even sure we have a user script to do that.

The User class code should be tweaked so that if a user_token is found to be NULL when a user is logging in a new one will be generated and the row will be updated.

This way instead of needing a maintenance script, all it will take to re-secure the database after a leak would be for the sysadmin to run UPDATE user SET user_token = NULL; and user tokens will be regenerated as needed.

Version: unspecified
Severity: normal

Details

Reference
bz34237

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:13 AM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz34237.
bzimport added a subscriber: Unknown Object (MLST).
DanielFriesen created this task.Feb 7 2012, 3:15 AM
DanielFriesen added a comment.Feb 7 2012, 8:12 AM

r110825

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL