Page MenuHomePhabricator

Turn logout link into a POST API call with refresh
Closed, ResolvedPublic

Description

Turn logout link into a POST API call with refresh

It's better to get rid of any GET request with csrf token

Gerrit patch set: https://gerrit.wikimedia.org/r/506386

See related: T25227

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
sbassett triaged this task as Medium priority.May 6 2019, 3:12 PM
sbassett updated the task description. (Show Details)

Change 511081 had a related patch set uploaded (by Fomafix; owner: Fomafix):
[mediawiki/core@master] [WIP] Use POST for logout

https://gerrit.wikimedia.org/r/511081

Change 511310 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[mediawiki/core@master] Deprecate logout token on GET

https://gerrit.wikimedia.org/r/511310

Change 511310 merged by jenkins-bot:
[mediawiki/core@master] Deprecate logout token on GET

https://gerrit.wikimedia.org/r/511310

Nikerabbit added a subscriber: Nikerabbit.

@Ladsgroup If I visit Special:UserLogout directly, I only see text "Do you want to log out?" and no button or link to do anything.

Translatewiki.net. Looks like it caught some revision in between where there isn't a button, but the link text was already removed.

Seems like the same thing doesn't work in the mobile interface - T232734: Mobile logout should not involve an interstitial

If the issue is SAML specific, the extension should just provide an endpoint to call for logout.

I don't think we'd want to revert this change, as we'd lose at least a modest bit of security protection.

Also, I doubt it would help, T25227: Use token when logging out would probably break SAML logouts with or without POST. And we do want to have some kind of CSRF protection for logouts. Especially while we publish IP addresses for anonymous actions, third-party-initiated stealth logout can be abused to dox users.