search

Arachnid / aeoid

Easy OpenID support for App Engine
46 stars 3 forks source link

Handle XSRF issue in logout handler #5

Open Arachnid opened 14 years ago

Arachnid commented 14 years ago

Currently the user could be forced to log out with a request to the logout URL. We need to add XSRF protection against this.

EvanK commented 14 years ago

Maybe I don't understand this issue, but couldn't you just verify, in the LogoutHandler, that the HTTP_REFERER matches the current host? (And if they don't match, show an interstitial page asking if they really want to log out)