You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.
One can simply forge e.g. an . If someone is logged in and visits any(!) website with that snippet in it, the user will get logged out from OSM. Imagine someone putting it in a diary post. :-)
A fix would be to also pass the session id (secret to strangers) and only logout if the supplied session id matches the one the server knows. Many sites do it like that.
The text was updated successfully, but these errors were encountered:
Reporter: HannesHH
[Submitted to the original trac issue database at 10.00am, Saturday, 13th March 2010]
Currently logging out from openstreetmap.org is done by simply GETting http://www.openstreetmap.org/logout
One can simply forge e.g. an . If someone is logged in and visits any(!) website with that snippet in it, the user will get logged out from OSM. Imagine someone putting it in a diary post. :-)
A fix would be to also pass the session id (secret to strangers) and only logout if the supplied session id matches the one the server knows. Many sites do it like that.
The text was updated successfully, but these errors were encountered: