Home/ Questions/Q 7743235
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T09:28:48+00:00

I’m currently building my own login script and have noticed that most append the

  • 0

I’m currently building my own login script and have noticed that most append the session ID or similar to the logout page as a get variable.

Why do they do this?

Is it not just safe/easier to just the destroy the session on logout.php and not pass in any ID?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I cannot think of any reason why they would need to add a get param only when logging out.

    Adding some token to an URL can be used to prevent abuse or when the session id is added to the url to also make session work when cookies are disbled on the client side.

    Update

    From the linked article:

    However, a quick view of the file shows a fairly interesting issue. It requires the signature computed by logging in to be presented to the user to submit to the login page. Presumably this was done as a form of CSRF protection. However, it also leaks the data necessary to take over a session to the user. So we come to our 11th vulnerability so far:

    UPDATE2

    I’ve asked ircmaxell in chat. And yup it is because of CSRF protection.

    • 0