Skip to content

Use logout_path() helper + add CSRF protection to logout #1312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 7, 2022
Merged

Use logout_path() helper + add CSRF protection to logout #1312

merged 1 commit into from
Feb 7, 2022

Conversation

wouterj
Copy link
Member

@wouterj wouterj commented Feb 5, 2022

The login form already had CSRF protection, but logout didn't yet in this demo application. Generally, I think it's a good idea to add CSRF protection to logout. At the very least, it avoids annoying situations where a website can force users to logout from your service on each visit. But depending on the type of application, things can also get more serious and cause actual security issues when CSRF on logout isn't enabled.

Fortunately, CSRF protection on logout is quite easy using the logout_path() helper: it automatically knows the logout URL of the current firewall and it automatically adds the correct CSRF token to the URL. I think the logout path/url helpers are little known gems in Symfony, so let's showcase them :)

@seb-jean
Copy link
Contributor

seb-jean commented Feb 5, 2022

I didn't know about this logout_path() helper.
So thank you @wouterj.

@javiereguiluz
Copy link
Member

Thank you Wouter.

@javiereguiluz javiereguiluz merged commit f1ee7c6 into symfony:main Feb 7, 2022
@wouterj wouterj deleted the logout-csrf branch February 7, 2022 09:46
@wouterj wouterj mentioned this pull request May 14, 2022
Open
9 tasks
@rosier rosier mentioned this pull request Oct 29, 2022
Merged
javiereguiluz added a commit that referenced this pull request Dec 8, 2022
@javiereguiluz
feature #1364 Add CSRF protection to logout url in the user controlle…
c668648 
…r (rosier)

This PR was merged into the main branch.

Discussion
----------

Add CSRF protection to logout url in the user controller

Fixes: #1314

Related: #1312

Commits
-------

044b910 Add CSRF protection to logout url in the user controller
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wouterj @seb-jean @javiereguiluz