Why do PHP logins scripts use GET ID to logout? - 【StackMirror】|php|authentication

I'm currently building my own login script and have noticed that most append the session ID or similar to the logout page as a get variable.

Why do they do this?

Is it not just safe/easier to just the destroy the session on logout.php and not pass in any ID?

2012-04-05 16:09
by Stephen Adrian Rathbone

Are you sure they're doing it only on logout? Most sites append sessid to the get request to insure that the user's session perpetuates in cases where they have disabled (or disallowed) cookies - Brad Christie 2012-04-05 16:10

If it's not just the logout page but all the pages then it is a measure taken to mitigate cross-site script forgery risks. Learn more about it here: http://en.wikipedia.org/wiki/Cross-siterequestforger - Sahand 2012-04-05 16:11

I cannot think of any reason why they would need to add a get param only when logging out.

Adding some token to an URL can be used to prevent abuse or when the session id is added to the url to also make session work when cookies are disbled on the client side.

Update

From the linked article:

However, a quick view of the file shows a fairly interesting issue. It requires the signature computed by logging in to be presented to the user to submit to the login page. Presumably this was done as a form of CSRF protection. However, it also leaks the data necessary to take over a session to the user. So we come to our 11th vulnerability so far:

UPDATE2

I've asked ircmaxell in chat. And yup it is because of CSRF protection.

2012-04-05 16:13
by PeeHaa

Example would be the one this guy is reviewing:- http://blog.ircmaxell.com/2011/08/security-review-creating-secure-php.htm - Stephen Adrian Rathbone 2012-04-05 16:15

@StephenAdrianRathbone he's idling in chat,so why don't you go directly to the source : - PeeHaa 2012-04-05 16:22