Opened 10 years ago

Closed 10 years ago

#2792 closed enhancement (fixed)

Users can logout by a simple GET request

Reported by: HannesHH Owned by: Tom Hughes
Priority: minor Milestone:
Component: website Version:
Keywords: logout, security, Cc:


Currently logging out from is done by simply GETting

One can simply forge e.g. an <img src="">. If someone is logged in and visits any(!) website with that snippet in it, the user will get logged out from OSM. Imagine someone putting it in a diary post. :-)

A fix would be to also pass the session id (secret to strangers) and only logout if the supplied session id matches the one the server knows. Many sites do it like that.

Change History (1)

comment:1 Changed 10 years ago by tomhughes

Resolution: fixed
Status: newclosed

(In [20476]) Require the session ID to log somebody out - if it isn't given we just show a confirmation page. Closes #2792.

Note: See TracTickets for help on using tickets.