Clarify Effects Disabling CSRF Has On Logout

Issue gh-13062
This commit is contained in:
abramofranchetti 2023-06-30 17:49:23 +02:00 committed by Josh Cummings
parent cc86afe658
commit ab478a13bc
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
1 changed files with 2 additions and 0 deletions

View File

@ -24,6 +24,8 @@ When you include {spring-boot-reference-url}using.html#using.build-systems.start
If you request `GET /logout`, then Spring Security displays a logout confirmation page. If you request `GET /logout`, then Spring Security displays a logout confirmation page.
Aside from providing a valuable double-checking mechanism for the user, it also provides a simple way to provide xref:servlet/exploits/csrf.adoc[the needed CSRF token] to `POST /logout`. Aside from providing a valuable double-checking mechanism for the user, it also provides a simple way to provide xref:servlet/exploits/csrf.adoc[the needed CSRF token] to `POST /logout`.
Please note that if xref:servlet/exploits/csrf.adoc[CSRF protection] is disabled in configuration, no logout confirmation page is shown to the user and the logout is performed directly.
[TIP] [TIP]
In your application it is not necessary to use `GET /logout` to perform a logout. In your application it is not necessary to use `GET /logout` to perform a logout.
So long as xref:servlet/exploits/csrf.adoc[the needed CSRF token] is present in the request, your application can simply `POST /logout` to induce a logout. So long as xref:servlet/exploits/csrf.adoc[the needed CSRF token] is present in the request, your application can simply `POST /logout` to induce a logout.