Page MenuHomePhabricator

Don't show intermediate step during log out action on the MinervaNeue skin
Closed, ResolvedPublic


T25227: Use token when logging out improved security when it comes to user log out action. Previously, any GET request sent to Special:UserLogout page triggered the log out action. That was an issue as attacker could easily put an html that would logout user from Wikimedia. and now every request to the Special:UserLogout needs the logoutToken calculated by the system.

Otherwise system will present an intermediate step, it will ask for confirmation before logging out user.

image.png (534×343 px, 26 KB)

To avoid the intermediate state, please pass the logoutToken param with the logout link.

QA Steps

  • Verify that logging out doesn't show an intermediate state.

Developer notes:

This can be achieved by passing param:

'logoutToken' => $this->user->getEditToken( 'logoutToken', $this->request )

To the $authLinksQuery in the AuthMenuEntry::buildComponentsForLoggedIn() method

Event Timeline

pmiazga moved this task from Incoming to Triaged but Future on the Readers-Web-Backlog board.
ovasileva lowered the priority of this task from High to Medium.Jun 6 2019, 3:02 PM
ovasileva moved this task from Triaged but Future to Upcoming on the Readers-Web-Backlog board.

Change 515510 had a related patch set uploaded (by D3r1ck01; owner: Derick Alangi):
[mediawiki/skins/MinervaNeue@master] menu: Add system generated logoutToken on logout action in Minerva

xSavitar moved this task from Backlog to Under Review on the User-xSavitar board.

The issue was fixed by @D3r1ck01 - thanks for your contribution.
I reviewed the patch and did QA - moving to Ready for Sign off on kanbanana board.

xSavitar updated the task description. (Show Details)
xSavitar moved this task from Under Review to Reviewed/Resolved on the User-xSavitar board.

Change 515510 merged by jenkins-bot:
[mediawiki/skins/MinervaNeue@master] menu: Add system generated logoutToken on logout action in Minerva

ovasileva claimed this task.