Changes
Title
unchanged
Logout CSRF Protection
Category
unchanged
Tutorials
Yii version
unchanged
Tags
unchanged
Security, CSRF, Logout CSRF
Content
changed
[...]
This kind of CSRF exploits the fact that the logout URLs are usually unprotected.
The Logout CSRF doesn't pose major threats, but is annoying for the users.
### Logout CSRF and Yii
Yii is a very secure framework. But as of version 1.1.7, the code generated by gii"yiic webapp" isn't protected against Logout CSRF.
When you enable Yii's CSRF validation, all forms will have the validation token, thus being more protected against CSRF, but the logout link is not a form and remains unprotected.
If you want to help protect your users against this annoyance, follow the tutorial below.
Tutorial: How to get rid of Logout CSRF in Yii
----------------------------------------------[...]