Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clarify Effects Disabling CSRF Has On Logout 

Issue gh-13062
This commit is contained in:
abramofranchetti 2023-06-30 17:49:23 +02:00 committed by Josh Cummings
parent cc86afe658
commit ab478a13bc
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/modules/ROOT/pages/servlet/authentication/logout.adoc
View File

@ -24,6 +24,8 @@ When you include {spring-boot-reference-url}using.html#using.build-systems.start
If you request `GET /logout`, then Spring Security displays a logout confirmation page.
Aside from providing a valuable double-checking mechanism for the user, it also provides a simple way to provide xref:servlet/exploits/csrf.adoc[the needed CSRF token] to `POST /logout`.
Please note that if xref:servlet/exploits/csrf.adoc[CSRF protection] is disabled in configuration, no logout confirmation page is shown to the user and the logout is performed directly.
[TIP]
In your application it is not necessary to use `GET /logout` to perform a logout.
So long as xref:servlet/exploits/csrf.adoc[the needed CSRF token] is present in the request, your application can simply `POST /logout` to induce a logout.