Skip to content
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.

Users can logout by a simple GET request #2792

Closed
openstreetmap-trac opened this issue Jul 23, 2021 · 1 comment
Closed

Users can logout by a simple GET request #2792

openstreetmap-trac opened this issue Jul 23, 2021 · 1 comment

Comments

@openstreetmap-trac
Copy link

Reporter: HannesHH
[Submitted to the original trac issue database at 10.00am, Saturday, 13th March 2010]

Currently logging out from openstreetmap.org is done by simply GETting http://www.openstreetmap.org/logout

One can simply forge e.g. an . If someone is logged in and visits any(!) website with that snippet in it, the user will get logged out from OSM. Imagine someone putting it in a diary post. :-)

A fix would be to also pass the session id (secret to strangers) and only logout if the supplied session id matches the one the server knows. Many sites do it like that.

@openstreetmap-trac
Copy link
Author

Author: tomhughes
[Added to the original trac issue at 3.29pm, Sunday, 14th March 2010]

(In [20476]) Require the session ID to log somebody out - if it isn't given we just
show a confirmation page. Closes #2792.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant