On Sat, Oct 13, 2012 at 10:11 PM, Daniel Friesen <daniel@nadir-seen-fire.com
wrote:
We should probably update the documentation for $wgSecretKey however I'm not sure the best way to write it.
Leucosticte pasted your message into [1], which is a start.
At the same time it's worth noting the warning about user_token. It does not apply to any new user_token but old user_tokens for users who have not updated their passwords resulting in the reset of user_token on wikis that have not done a full reset will still be somewhat vulnerable to $wgSecretKey leaks.
Your last sentence is hard to understand.
I updated the explanation of user_token in the User_table page[2]. I removed the link to an explanation of Edit_token[1], since that seems nothing to do with the user_token. I think MW only uses user_token as the cookie "{$wgCookiePrefix}Token" when you click "Remember my login on this browser", and maybe for CentralAuth.
[1] https://www.mediawiki.org/wiki/Manual:%24wgSecretKey [2] https://www.mediawiki.org/wiki/Manual:User_table#user_token [3] https://www.mediawiki.org/wiki/Manual:Edit_token