⚓ T222626 Turn logout link into a POST API call with refresh

	Project	Branch	Lines +/-	Subject
	mediawiki/core	master	+14 -1	[WIP] Use a form with POST for the logout button
	mediawiki/core	master	+60 -46	Deprecate logout token on GET

sbassett created this task.May 6 2019, 3:11 PM

Restricted Application added a project: User-Ladsgroup. · View Herald TranscriptMay 6 2019, 3:11 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

sbassett triaged this task as Medium priority.May 6 2019, 3:12 PM

sbassett updated the task description. (Show Details)

sbassett mentioned this in T25227: Use token when logging out.May 6 2019, 3:14 PM

ShakespeareFan00 added a subscriber: ShakespeareFan00.May 7 2019, 1:25 PM

ShakespeareFan00 removed a subscriber: ShakespeareFan00.

TheDJ added a subscriber: TheDJ.May 8 2019, 8:55 AM

Ladsgroup added a project: Wikimedia-Hackathon-2019.May 16 2019, 2:08 PM

Ladsgroup moved this task from Backlog to Projects on the Wikimedia-Hackathon-2019 board.

Change 511081 had a related patch set uploaded (by Fomafix; owner: Fomafix):
[mediawiki/core@master] [WIP] Use POST for logout

https://gerrit.wikimedia.org/r/511081

gerritbot added a project: Patch-For-Review.May 18 2019, 6:33 PM

Fomafix added a subscriber: Fomafix.May 18 2019, 7:12 PM

Change 511310 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[mediawiki/core@master] Deprecate logout token on GET

https://gerrit.wikimedia.org/r/511310

Change 511310 merged by jenkins-bot:
[mediawiki/core@master] Deprecate logout token on GET

https://gerrit.wikimedia.org/r/511310

\o/

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.10; 2019-06-18).Jun 8 2019, 8:00 PM

@Ladsgroup If I visit Special:UserLogout directly, I only see text "Do you want to log out?" and no button or link to do anything.

It works in beta as expected:

Where are you testing this?

Translatewiki.net. Looks like it caught some revision in between where there isn't a button, but the link text was already removed.

Tgr mentioned this in T232734: Mobile logout should not involve an interstitial.Sep 12 2019, 12:00 PM

Seems like the same thing doesn't work in the mobile interface - T232734: Mobile logout should not involve an interstitial

• chasemp added a project: Security.Feb 10 2020, 10:57 PM

Maintenance_bot moved this task from Incoming to Done on the User-Ladsgroup board.Feb 10 2020, 11:15 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:41 PM

This causes problems for SAML auth. See https://phabricator.wikimedia.org/T246350 and https://www.mediawiki.org/w/index.php?title=Topic:W5nyw48nx1pc2lsy

If the issue is SAML specific, the extension should just provide an endpoint to call for logout.

I don't think we'd want to revert this change, as we'd lose at least a modest bit of security protection.

Also, I doubt it would help, T25227: Use token when logging out would probably break SAML logouts with or without POST. And we do want to have some kind of CSRF protection for logouts. Especially while we publish IP addresses for anonymous actions, third-party-initiated stealth logout can be abused to dox users.

Osnard mentioned this in T305031: Error when logging out via API.Mar 30 2022, 8:47 AM

Ladsgroup mentioned this in T324638: Logging-out via sticky header and user menu without confirm step on Special:UserLogout.Jan 12 2023, 11:15 PM

Turn logout link into a POST API call with refresh
Closed, ResolvedPublic
Actions

Description

Details

Related Objects

Event Timeline

Turn logout link into a POST API call with refreshClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Turn logout link into a POST API call with refresh
Closed, ResolvedPublic
Actions