Page MenuHomePhabricator

Turn logout link into a POST API call with refresh
Closed, ResolvedPublic

Description

Turn logout link into a POST API call with refresh

It's better to get rid of any GET request with csrf token

Gerrit patch set: https://gerrit.wikimedia.org/r/506386

See related: T25227

Event Timeline

sbassett created this task.May 6 2019, 3:11 PM
Restricted Application added a project: User-Ladsgroup. · View Herald TranscriptMay 6 2019, 3:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
sbassett triaged this task as Medium priority.May 6 2019, 3:12 PM
sbassett updated the task description. (Show Details)
TheDJ added a subscriber: TheDJ.May 8 2019, 8:55 AM

Change 511081 had a related patch set uploaded (by Fomafix; owner: Fomafix):
[mediawiki/core@master] [WIP] Use POST for logout

https://gerrit.wikimedia.org/r/511081

Change 511310 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[mediawiki/core@master] Deprecate logout token on GET

https://gerrit.wikimedia.org/r/511310

Change 511310 merged by jenkins-bot:
[mediawiki/core@master] Deprecate logout token on GET

https://gerrit.wikimedia.org/r/511310

Ladsgroup closed this task as Resolved.Jun 8 2019, 7:03 PM

\o/

Nikerabbit reopened this task as Open.Jun 10 2019, 2:47 PM
Nikerabbit added a subscriber: Nikerabbit.

@Ladsgroup If I visit Special:UserLogout directly, I only see text "Do you want to log out?" and no button or link to do anything.

Nikerabbit closed this task as Resolved.Jun 10 2019, 2:52 PM

Translatewiki.net. Looks like it caught some revision in between where there isn't a button, but the link text was already removed.

Tgr added a subscriber: Tgr.Sep 12 2019, 12:02 PM

Seems like the same thing doesn't work in the mobile interface - T232734: Mobile logout should not involve an interstitial

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:41 PM