Page MenuHomePhabricator

Turn logout link into a POST API call with refresh
Closed, ResolvedPublic

Description

Turn logout link into a POST API call with refresh

It's better to get rid of any GET request with csrf token

Gerrit patch set: https://gerrit.wikimedia.org/r/506386

See related: T25227

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
sbassett triaged this task as Medium priority.May 6 2019, 3:12 PM
sbassett updated the task description. (Show Details)

Change 511081 had a related patch set uploaded (by Fomafix; owner: Fomafix):
[mediawiki/core@master] [WIP] Use POST for logout

https://gerrit.wikimedia.org/r/511081

Change 511310 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[mediawiki/core@master] Deprecate logout token on GET

https://gerrit.wikimedia.org/r/511310

Change 511310 merged by jenkins-bot:
[mediawiki/core@master] Deprecate logout token on GET

https://gerrit.wikimedia.org/r/511310

Nikerabbit added a subscriber: Nikerabbit.

@Ladsgroup If I visit Special:UserLogout directly, I only see text "Do you want to log out?" and no button or link to do anything.

Translatewiki.net. Looks like it caught some revision in between where there isn't a button, but the link text was already removed.

Seems like the same thing doesn't work in the mobile interface - T232734: Mobile logout should not involve an interstitial