By default authlogic effectively disables CSRF protection, because it does not provide an override of handle_unverified_request that clears the user_credentials cookie. See this blog post for details.
Authlogic should override handle_unverified_request in a manner similar to devise. Current applications using authlogic are vulnerable to CSRF unless they provide such an override themselves.
I have found this issue too. It took me ages to figure out, and requires you to have noticed it in the first place, which is unlikely.
I am happy to write a patch if wanted.
This is a vulnerability @binarylogic.
As I see it, a universal fix isn't that simple. Authlogic requires that you define current_user_session. Which means that the instance variables that cache the current user session could be different in each app, so Authlogic reliably couldn't implement the fix as mentioned here.
The only way to have the fix live within Authlogic, is to change the Authlogic Rails adapter to define current_user_session and thus have Authlogic take control of how the session is cached. And thus be able to kill it more certainly. The problem being, everyone using Authlogic has already implemented current_user_session and may never remove their definition (given that this update happens) and thus still be vulnerable.
So for now, the easiest fix is an app specific definition of handle_unverified_requests as mentioned in the article above. Which sucks, because by default, Authlogic is blatantly susceptible to CSRF attacks. Unless of course, we make a small but fundamental change to its interface and get everyone to update not just their version, but their implementation :)
Obviously this issue has been addressed by the comments above by @garygreyling. However, it's really undesireable to have this gem be insecure by default - at the very least it goes against what Rails stands for (convention over configuration). Could it provide a default implementation or at the very least, a call out in the README to implement one yourself?
Adding note about CSRF protection to README.
Adding note about CSRF protection to README. (#448)