[Mediawiki-api-announce] BREAKING CHANGE: Action API action=logout will require a CSRF token

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Mediawiki-api-announce] BREAKING CHANGE: Action API action=logout will require a CSRF token

Brad Jorsch (Anomie)
With the merge of Icb674095,[1] use of API action=logout will require a CSRF token. This was considered a security issue, so the usual deprecation process was not followed. See T25227[2] for details.

Clients that do not use a CSRF token with action=logout will receive a badtoken error message **and will not be logged out**.

This change should be deployed to Wikimedia wikis with 1.34.0-wmf.3. See https://www.mediawiki.org/wiki/MediaWiki_1.34/Roadmap for a schedule.

Overall client impact is expected to be relatively low, as gathered statistics indicate there are relatively few users of this API call. None the less, maintainers should check their code for use of action=logout and update as necessary to maintain expected operation.


--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation

_______________________________________________
Mediawiki-api-announce mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api