Difference between #1 and #2 of
Logout CSRF Protection

Changes

Title unchanged

Logout CSRF Protection

Category unchanged

Tutorials

Yii version unchanged

Tags unchanged

Security, CSRF, Logout CSRF

Content changed

[...]
This kind of CSRF exploits the fact that the logout URLs are usually unprotected.
The Logout CSRF doesn't pose major threats, but is annoying for the users.

### Logout CSRF and Yii

Yii is a very secure framework. But as of version 1.1.7, the code generated by gii"yiic webapp" isn't protected against Logout CSRF.
When you enable Yii's CSRF validation, all forms will have the validation token, thus being more protected against CSRF, but the logout link is not a form and remains unprotected.
If you want to help protect your users against this annoyance, follow the tutorial below.

Tutorial: How to get rid of Logout CSRF in Yii
----------------------------------------------
[...]
10 0
11 followers
Viewed: 29 579 times
Version: 1.1
Category: Tutorials
Tags: CSRF, Logout CSRF, security
Written by: Rodrigo Coelho
Last updated by: Rodrigo Coelho
Created on: May 9, 2011
Last updated: 12 years ago
Update Article
Revert to #1 | Revert to #2

Revisions

View all history