harden(logout): enforce POST+CSRF and remove GET logout triggers

This commit is contained in:
2026-04-25 23:35:03 +02:00
parent a24dc0c235
commit 3207d71244
6 changed files with 82 additions and 9 deletions

View File

@@ -15,6 +15,7 @@ $sessionIdleMinutes = (int) (appSetting('session_idle_timeout_minutes') ?? 30);
$sessionIdleSeconds = max($sessionIdleMinutes, 5) * 60;
$sessionPingUrl = lurl('admin/session-ping/data');
$sessionLogoutUrl = lurl('logout');
$sessionLogoutFormId = 'app-logout-form';
$telemetryEnabled = frontendTelemetryEnabled();
$telemetrySampleRate = frontendTelemetrySampleRate();
$telemetryAllowedEvents = implode(',', frontendTelemetryAllowedEvents());
@@ -224,7 +225,7 @@ $componentPageConfig = [
'selector' => '[data-app-session-warning-dialog]',
'idleSeconds' => $sessionIdleSeconds,
'pingUrl' => $sessionPingUrl,
'logoutUrl' => $sessionLogoutUrl,
'logoutFormId' => $sessionLogoutFormId,
'csrfKey' => $csrfKey,
'csrfToken' => $csrfToken,
],
@@ -296,7 +297,7 @@ $componentPageConfig['moduleRuntimeComponents'] = $moduleRuntimeComponents;
<?php if ($isLoggedIn): ?>
data-session-idle-seconds="<?php e((string) $sessionIdleSeconds); ?>"
data-session-ping-url="<?php e($sessionPingUrl); ?>"
data-session-logout-url="<?php e($sessionLogoutUrl); ?>"
data-session-logout-form-id="<?php e($sessionLogoutFormId); ?>"
<?php endif; ?>
class="no-js"
<?php if ($primaryVars !== ''): ?>style="<?php e($primaryVars); ?>" <?php endif; ?>
@@ -334,6 +335,11 @@ $componentPageConfig['moduleRuntimeComponents'] = $moduleRuntimeComponents;
</div>
</div>
<div class="app-drawer-backdrop" aria-hidden="true"></div>
<?php if ($isLoggedIn): ?>
<form id="<?php e($sessionLogoutFormId); ?>" method="post" action="<?php e($sessionLogoutUrl); ?>" hidden>
<input type="hidden" name="<?php e($csrfKey); ?>" value="<?php e($csrfToken); ?>">
</form>
<?php endif; ?>
<script src="<?php e(assetVersion('vendor/fslightbox/fslightbox.js')); ?>"></script>
<?php require __DIR__ . '/partials/app-confirm-dialog.phtml'; ?>