harden(logout): enforce POST+CSRF and remove GET logout triggers
This commit is contained in:
@@ -15,6 +15,7 @@ $sessionIdleMinutes = (int) (appSetting('session_idle_timeout_minutes') ?? 30);
|
||||
$sessionIdleSeconds = max($sessionIdleMinutes, 5) * 60;
|
||||
$sessionPingUrl = lurl('admin/session-ping/data');
|
||||
$sessionLogoutUrl = lurl('logout');
|
||||
$sessionLogoutFormId = 'app-logout-form';
|
||||
$telemetryEnabled = frontendTelemetryEnabled();
|
||||
$telemetrySampleRate = frontendTelemetrySampleRate();
|
||||
$telemetryAllowedEvents = implode(',', frontendTelemetryAllowedEvents());
|
||||
@@ -224,7 +225,7 @@ $componentPageConfig = [
|
||||
'selector' => '[data-app-session-warning-dialog]',
|
||||
'idleSeconds' => $sessionIdleSeconds,
|
||||
'pingUrl' => $sessionPingUrl,
|
||||
'logoutUrl' => $sessionLogoutUrl,
|
||||
'logoutFormId' => $sessionLogoutFormId,
|
||||
'csrfKey' => $csrfKey,
|
||||
'csrfToken' => $csrfToken,
|
||||
],
|
||||
@@ -296,7 +297,7 @@ $componentPageConfig['moduleRuntimeComponents'] = $moduleRuntimeComponents;
|
||||
<?php if ($isLoggedIn): ?>
|
||||
data-session-idle-seconds="<?php e((string) $sessionIdleSeconds); ?>"
|
||||
data-session-ping-url="<?php e($sessionPingUrl); ?>"
|
||||
data-session-logout-url="<?php e($sessionLogoutUrl); ?>"
|
||||
data-session-logout-form-id="<?php e($sessionLogoutFormId); ?>"
|
||||
<?php endif; ?>
|
||||
class="no-js"
|
||||
<?php if ($primaryVars !== ''): ?>style="<?php e($primaryVars); ?>" <?php endif; ?>
|
||||
@@ -334,6 +335,11 @@ $componentPageConfig['moduleRuntimeComponents'] = $moduleRuntimeComponents;
|
||||
</div>
|
||||
</div>
|
||||
<div class="app-drawer-backdrop" aria-hidden="true"></div>
|
||||
<?php if ($isLoggedIn): ?>
|
||||
<form id="<?php e($sessionLogoutFormId); ?>" method="post" action="<?php e($sessionLogoutUrl); ?>" hidden>
|
||||
<input type="hidden" name="<?php e($csrfKey); ?>" value="<?php e($csrfToken); ?>">
|
||||
</form>
|
||||
<?php endif; ?>
|
||||
|
||||
<script src="<?php e(assetVersion('vendor/fslightbox/fslightbox.js')); ?>"></script>
|
||||
<?php require __DIR__ . '/partials/app-confirm-dialog.phtml'; ?>
|
||||
|
||||
@@ -30,6 +30,7 @@ if ($tenantLabel === '') {
|
||||
}
|
||||
$canSwitchTenant = is_array($currentTenant) && count($availableTenants) > 1;
|
||||
$allowUserTheme = allowUserTheme();
|
||||
$logoutFormId = trim((string) ($sessionLogoutFormId ?? 'app-logout-form'));
|
||||
$layoutAuth = is_array($viewAuth['layout'] ?? null) ? $viewAuth['layout'] : [];
|
||||
$layoutNav = is_array($layoutNav ?? null) ? $layoutNav : [];
|
||||
$moduleSlots = is_array($layoutNav['moduleSlots'] ?? null) ? $layoutNav['moduleSlots'] : [];
|
||||
@@ -196,9 +197,10 @@ $moduleTopbarSlots = is_array($moduleSlots['topbar.right_item'] ?? null) ? $modu
|
||||
|
||||
<li class="app-topbar-menu-divider" role="separator"></li>
|
||||
<li class="app-topbar-menu-heading" role="presentation"><small><?php e(t('Session')); ?></small></li>
|
||||
<li><a href="logout">
|
||||
<li>
|
||||
<button type="submit" form="<?php e($logoutFormId); ?>">
|
||||
<?php e(t('Logout')); ?>
|
||||
</a>
|
||||
</button>
|
||||
</li>
|
||||
</ul>
|
||||
</details>
|
||||
|
||||
Reference in New Issue
Block a user