Page MenuHomePhabricator
Create Task
Maniphest T209579

MediaWiki should log user out of all sessions when going to Special:Userlogout
Open, MediumPublic
Actions

Description

Currently in MediaWiki (but not when centralauth is installed), if you go to Special:Userlogout, it logs you out of your current session. It does not log you out of your other sessions.

CentralAuth on the other hand does log you out of all sessions (via changing the equivalent of user_token).

Its not 100% clear which is the most desirable behaviour. I personally lean towards the centralAuth behaviour. I think we should change vanilla mediawiki to be like CentralAuth.

If we want to keep vanilla mediawiki, at the very least there needs to be a button to log someone out of all sessions (Special:UserLogout/force ? Link from special:Preferences?)

Related Objects

Event Timeline

Bawolff created this task.Nov 15 2018, 12:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 15 2018, 12:43 PM
Mainframe98 subscribed.Nov 15 2018, 12:58 PM

Tasks for MediaWiki-extensions-CentralAuth that desire the opposite to happen: T37220: Allow per-session log out and T51890: Logging out on a different device logs me out everywhere else.

I also recall a comment mentioning the behaviour for CentralAuth was not intended as a feature (but not exactly a bug either) but I can't find it. (T51890#3443693?, but contradicted by T51890#536298)

Tgr mentioned this in T37220: Allow per-session log out.May 7 2019, 4:59 PM
chasemp triaged this task as Medium priority.Dec 9 2019, 4:40 PM
chasemp added a project: Security.Feb 10 2020, 10:57 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:06 PM
Tgr subscribed.Aug 10 2021, 6:03 AM

​If we want to keep vanilla mediawiki, at the very least there needs to be a button to log someone out of all sessions (Special:UserLogout/force ? Link from special:Preferences?)

Currently the only way to achieve that is to change your password (or at least use the password change interface; I think providing the current value again as new value would work).

Raphoraph subscribed.Sep 2 2021, 9:56 PM
kostajh subscribed.Sep 27 2022, 9:41 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL