With the merge of Icb674095,[1] use of API action=logout will require a CSRF token. This was considered a security issue, so the usual deprecation process was not followed. See T25227[2] for details.

Clients that do not use a CSRF token with action=logout will receive a badtoken error message **and will not be logged out**.

This change should be deployed to Wikimedia wikis with 1.34.0-wmf.3. See https://www.mediawiki.org/wiki/MediaWiki_1.34/Roadmap for a schedule.

Overall client impact is expected to be relatively low, as gathered statistics indicate there are relatively few users of this API call. None the less, maintainers should check their code for use of action=logout and update as necessary to maintain expected operation.

[1]: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/504565

[2]: https://phabricator.wikimedia.orgdo not use /T25227

[3]: https://phabricator.wikimedia.org/T25227#4902709

Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation