dvikan.no

Do you protect your logout link from CSRF?

2011-05-02

The logout link is vulnerable to CSRF just like any other action that has an effect. It's not very dangerous to be affected by a logout attack, but it could be annoying. Especially if a users on a forum can put HTTP links as their profile picture etc. Then every user would be logged out each time time they viewed that profile picture.

<img src="http://victim/logout.php">