From ab478a13bc2a90004b791cc707f2d349cb2c4b3c Mon Sep 17 00:00:00 2001 From: abramofranchetti Date: Fri, 30 Jun 2023 17:49:23 +0200 Subject: [PATCH] Clarify Effects Disabling CSRF Has On Logout Issue gh-13062 --- docs/modules/ROOT/pages/servlet/authentication/logout.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/modules/ROOT/pages/servlet/authentication/logout.adoc b/docs/modules/ROOT/pages/servlet/authentication/logout.adoc index 88dfab3320..ea84001731 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/logout.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/logout.adoc @@ -24,6 +24,8 @@ When you include {spring-boot-reference-url}using.html#using.build-systems.start If you request `GET /logout`, then Spring Security displays a logout confirmation page. Aside from providing a valuable double-checking mechanism for the user, it also provides a simple way to provide xref:servlet/exploits/csrf.adoc[the needed CSRF token] to `POST /logout`. +Please note that if xref:servlet/exploits/csrf.adoc[CSRF protection] is disabled in configuration, no logout confirmation page is shown to the user and the logout is performed directly. + [TIP] In your application it is not necessary to use `GET /logout` to perform a logout. So long as xref:servlet/exploits/csrf.adoc[the needed CSRF token] is present in the request, your application can simply `POST /logout` to induce a logout.