Difference between #1 and #2 of
Logout CSRF Protection

Revision #2 has been created by Rodrigo Coelho on May 10, 2011, 3:03:55 AM with the memo:

Small correction
« previous (#1)


Title unchanged

Logout CSRF Protection

Category unchanged


Yii version unchanged

Tags unchanged

Security, CSRF, Logout CSRF

Content changed

This kind of CSRF exploits the fact that the logout URLs are usually unprotected.
The Logout CSRF doesn't pose major threats, but is annoying for the users.

### Logout CSRF and Yii

Yii is a very secure framework. But as of version 1.1.7, the code generated by
gii"yiic webapp" isn't protected against Logout CSRF.
When you enable Yii's CSRF validation, all forms will have the validation token, thus being more protected against CSRF, but the logout link is not a form and remains unprotected.
If you want to help protect your users against this annoyance, follow the tutorial below.

Tutorial: How to get rid of Logout CSRF in Yii
10 0
Viewed: 20 300 times
Version: 1.1
Category: Tutorials
Written by: Rodrigo Coelho
Last updated by: Rodrigo Coelho
Created on: May 9, 2011
Last updated: 6 years ago
Update Article


View all history