Use form POST for signout link to prevent CSRF

2025-04-24 17:22:35 +02:00 · 2017-02-02 10:27:30 -08:00 · 2017-02-02 10:27:30 -08:00 · ad22cc519f
commit ad22cc519f
parent e43e7d973a
2 changed files with 5 additions and 2 deletions
--- a/app/signin.rb
+++ b/app/signin.rb
@ -40,7 +40,7 @@ get '/signin/:username' do
  redirect request.referrer
 end

-get '/signout' do
+post '/signout' do
  require_login
  signout
  redirect '/'
--- a/views/_header.erb
+++ b/views/_header.erb
@ -63,7 +63,10 @@
              <li><a href="/admin">Admin</a></li>
            <% end %>

-            <li><a href="/signout">Sign Out</a></li>
+            <li><a href="#" onclick="$('#signoutForm').submit()">Sign Out</a></li>
+            <form id="signoutForm" method="POST" action="/signout" style="display: none">
+              <%== csrf_token_input_html %>
+            </form>
          </ul>
        </li>