Agreed
10
45
18.2% 81.8%
Embed Claim
Make a related claim
Similar claims
- 5-19 Kees Cook will be in your Contacts after you read this Claim's description.
- 8-38 Everyone who reads this Claim's description will agree with it.
- 21-3 The "delete account" button is too scary and could be used to grief
- 13-0 Claims in claimrolls should be votable
- 2-12 I find it amusing that nic states on his profile first that he is a hacker, and then that he runs an OpenID provider complete with SSL certificate security.
Discussion (3)
Chris Shiflett wrote an interesting article about this problem: http://shiflett.org/articles/cross-site-request-forgeries
He talks about "cross site" but as you see it's actually worse than that. A solution of this problem would be by implementing the logout as a POST form.
A safer, more reliable way to guard against CSRF is to make destructive action URLs impossible for an attacker to create. For example, require a parameter which is a big number based on something in the "victim's" session. A salted, hash of the logged in user's session_id works pretty well.
Mouse over the signout link about to see how I've done it.
It didn't work, sorry...