Page MenuHomePhabricator

Don't show intermediate step during log out action on the MinervaNeue skin
Closed, ResolvedPublic

Description

T25227: Use token when logging out improved security when it comes to user log out action. Previously, any GET request sent to Special:UserLogout page triggered the log out action. That was an issue as attacker could easily put an html that would logout user from Wikimedia. and now every request to the Special:UserLogout needs the logoutToken calculated by the system.

Otherwise system will present an intermediate step, it will ask for confirmation before logging out user.


To avoid the intermediate state, please pass the logoutToken param with the logout link.

QA Steps

  • Verify that logging out doesn't show an intermediate state.

Developer notes:

This can be achieved by passing param:

'logoutToken' => $this->user->getEditToken( 'logoutToken', $this->request )

To the $authLinksQuery in the AuthMenuEntry::buildComponentsForLoggedIn() method

Event Timeline

pmiazga created this task.Jun 6 2019, 3:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 6 2019, 3:00 PM
pmiazga triaged this task as High priority.Jun 6 2019, 3:00 PM
pmiazga moved this task from Incoming to Triaged but Future on the Readers-Web-Backlog board.
ovasileva lowered the priority of this task from High to Normal.Jun 6 2019, 3:02 PM
ovasileva moved this task from Triaged but Future to Upcoming on the Readers-Web-Backlog board.

Change 515510 had a related patch set uploaded (by D3r1ck01; owner: Derick Alangi):
[mediawiki/skins/MinervaNeue@master] menu: Add system generated logoutToken on logout action in Minerva

https://gerrit.wikimedia.org/r/515510

D3r1ck01 claimed this task.Jun 8 2019, 10:25 AM
Restricted Application added a project: User-D3r1ck01. · View Herald TranscriptJun 8 2019, 10:25 AM
D3r1ck01 moved this task from Backlog to Bugs on the MinervaNeue board.Jun 8 2019, 10:25 AM
D3r1ck01 moved this task from Backlog to Under Review on the User-D3r1ck01 board.

The issue was fixed by @D3r1ck01 - thanks for your contribution.
I reviewed the patch and did QA - moving to Ready for Sign off on kanbanana board.

D3r1ck01 updated the task description. (Show Details)
D3r1ck01 moved this task from Under Review to Reviewed/Resolved on the User-D3r1ck01 board.

Change 515510 merged by jenkins-bot:
[mediawiki/skins/MinervaNeue@master] menu: Add system generated logoutToken on logout action in Minerva

https://gerrit.wikimedia.org/r/515510

ovasileva closed this task as Resolved.Jun 11 2019, 1:31 PM
ovasileva claimed this task.