Skip to content

Use POST for logout (CSRF) #92

Open
Open
Use POST for logout (CSRF)#92
Labels
backendImported from GitLab export mappingbugSomething isn't workingfrontendImported from GitLab export mappingsecuritySecurity-related issues
@blinkerbit

Description

@blinkerbit
blinkerbit
opened on May 14, 2026

Source: gitlab-issues-export.md (Issue 12)

Weight: 3

Problem / context

LogoutHandler only implements get; a third party can trigger logout via crafted link (session inconvenience / mild DoS).

Suggested approach / acceptance criteria

  • Add post with XSRF where applicable; update templates/JS to POST logout.
  • Keep GET as deprecated redirect to login with warning log, or remove after transition.

Metadata

Metadata

Assignees

No one assigned

    Labels

    backendImported from GitLab export mappingbugSomething isn't workingfrontendImported from GitLab export mappingsecuritySecurity-related issues

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions