Clarify Effects Disabling CSRF Has On Logout
Issue gh-13062
This commit is contained in:
parent
cc86afe658
commit
ab478a13bc
|
@ -24,6 +24,8 @@ When you include {spring-boot-reference-url}using.html#using.build-systems.start
|
||||||
If you request `GET /logout`, then Spring Security displays a logout confirmation page.
|
If you request `GET /logout`, then Spring Security displays a logout confirmation page.
|
||||||
Aside from providing a valuable double-checking mechanism for the user, it also provides a simple way to provide xref:servlet/exploits/csrf.adoc[the needed CSRF token] to `POST /logout`.
|
Aside from providing a valuable double-checking mechanism for the user, it also provides a simple way to provide xref:servlet/exploits/csrf.adoc[the needed CSRF token] to `POST /logout`.
|
||||||
|
|
||||||
|
Please note that if xref:servlet/exploits/csrf.adoc[CSRF protection] is disabled in configuration, no logout confirmation page is shown to the user and the logout is performed directly.
|
||||||
|
|
||||||
[TIP]
|
[TIP]
|
||||||
In your application it is not necessary to use `GET /logout` to perform a logout.
|
In your application it is not necessary to use `GET /logout` to perform a logout.
|
||||||
So long as xref:servlet/exploits/csrf.adoc[the needed CSRF token] is present in the request, your application can simply `POST /logout` to induce a logout.
|
So long as xref:servlet/exploits/csrf.adoc[the needed CSRF token] is present in the request, your application can simply `POST /logout` to induce a logout.
|
||||||
|
|
Loading…
Reference in New Issue