Add CSRF protection to logout link - Auth token is used to avoid possibly leaking real csrf token

cda62e2d · Peter Rotich · ecb9178f · cda62e2d · cda62e2d
Commit cda62e2d authored 12 years ago by Peter Rotich
--- a/include/staff/header.inc.php
+++ b/include/staff/header.inc.php
@@ -23,7 +23,6 @@
    if($ost && ($headers=$ost->getExtraHeaders())) {
        echo "\n\t".implode("\n\t", $headers)."\n";
    }
-    csrf_enable_ajax();
    ?>
 </head>
 <body onunload="">
@@ -37,7 +36,8 @@
            <?php }else{ ?>
            | <a href="index.php">Staff Panel</a>
            <?php } ?>
-            | <a href="profile.php">My Preferences</a> | <a href="logout.php">Log Out</a>
+            | <a href="profile.php">My Preferences</a> 
+            | <a href="logout.php?auth=<?php echo md5($ost->getCSRFToken().SECRET_SALT.session_id()); ?>">Log Out</a>
        </p>
    </div>
    <ul id="nav">

--- a/scp/logout.php
+++ b/scp/logout.php
@@ -15,6 +15,10 @@
    vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
 require('staff.inc.php');
+//CSRF Check: Make sure the user actually clicked on the link to logout.
+if(!$_GET['auth'] || $_GET['auth']!=md5($ost->getCSRFToken().SECRET_SALT.session_id()))
+   @header('Location: index.php');
 $ost->logDebug('Staff logout',
        sprintf("%s logged out [%s]", 
            $thisstaff->getUserName(), $_SERVER['REMOTE_ADDR'])); //Debug.