Open Arachnid opened 14 years ago
Maybe I don't understand this issue, but couldn't you just verify, in the LogoutHandler, that the HTTP_REFERER matches the current host? (And if they don't match, show an interstitial page asking if they really want to log out)
Currently the user could be forced to log out with a request to the logout URL. We need to add XSRF protection against this.