Yii Framework Wiki
Difference between
#1 and
#2 of
Logout CSRF Protection
Revision #2 has been created by Rodrigo Coelho on May 10, 2011, 3:03:55 AM with the memo:
Small correction
« previous (#1)
Changes
Title unchanged
Logout CSRF Protection
Category unchanged
Tutorials
Yii version unchanged
Tags unchanged
Security, CSRF, Logout CSRF
Content changed
[...]
This kind of CSRF exploits the fact that the logout URLs are usually unprotected. The Logout CSRF doesn't pose major threats, but is annoying for the users.
### Logout CSRF and Yii
Yii is a very secure framework. But as of version 1.1.7, the code generated by
When you enable Yii's CSRF validation, all forms will have the validation token, thus being more protected against CSRF, but the logout link is not a form and remains unprotected.
If you want to help protect your users against this annoyance, follow the tutorial below.
Tutorial: How to get rid of Logout CSRF in Yii
----------------------------------------------
[...]
11 followers
Viewed: 30 350 times
Version: 1.1
Category: Tutorials
Written by: Rodrigo Coelho
Last updated by: Rodrigo Coelho
Created on: May 9, 2011
Last updated: 13 years ago
Revisions
View all history-
13 years ago by
Rodrigo Coelho Small correction
- 13 years ago by Rodrigo Coelho