I'd like to require that all authenticated users of a Mediawiki instance re-login. This is MW v1.23 on Linux CentOS 6.5 x64, apache, mysql, memcached.
I'm not sure where PHP is storing the user sessions. I've checked /etc/php.ini, but didn't find anything explicit. I created a phpinfo() page, and found session.save_path unset. Perhaps MW is doing its own thing.
I have access to the code, the mysql database, the filesystem and memcached. Our installation authenticates to Active Directory using the LdapAuthentication extension.
I reviewed all settings in LocalSettings.php and came up empty.
I searched for all variables and their defaults that might influence where session is stored.
I found one solution, which is to change the value of $wgCookiePrefix. I'm looking for a solution that doesn't require changing configuration, such as deleting objects, files or database rows.
Ultimately I went with changing the value of $wgCookiePrefix. This was the simplest method to truly invalidate all user's authentication token cookies.
Deleting the php sess_ files did not force users to have to log in again. Upon next visit, another sess_ file was created and the user remained logged in.