Opened 9 years ago

Closed 9 years ago

#2792 closed enhancement (fixed)

Users can logout by a simple GET request

Reported by: HannesHH Owned by: Tom Hughes
Priority: minor Milestone:
Component: website Version:
Keywords: logout, security, Cc:

Description

Currently logging out from openstreetmap.org is done by simply GETting http://www.openstreetmap.org/logout

One can simply forge e.g. an <img src="http://www.openstreetmap.org/logout">. If someone is logged in and visits any(!) website with that snippet in it, the user will get logged out from OSM. Imagine someone putting it in a diary post. :-)

A fix would be to also pass the session id (secret to strangers) and only logout if the supplied session id matches the one the server knows. Many sites do it like that.

Change History (1)

comment:1 Changed 9 years ago by tomhughes

Resolution: fixed
Status: newclosed

(In [20476]) Require the session ID to log somebody out - if it isn't given we just show a confirmation page. Closes #2792.

Note: See TracTickets for help on using tickets.