I am using CakePHP 3.10 and CakeDC Users plugin for login/logout. In my application CSRF protection is provided through middleware on all routes. I am trying to figure the best way to check for CSRF token before logout so a malicious code doesn’t logout a user. Is there any recommended approach to achieve this? I haven’t been able to find anything in the documentation.
You could do something similar to how the
delete() action is working.
In there it only deletes a given entry if the current request is submitted via
POST and therefore has a CSRF check present inside it.
Thanks Kevin. In the existing application there is no controller method for logout and logout method is called via Session Traits. I am currently embedding the csrf token to logout link and inside beforeLogout event checking if the request query parameter is present. This is working and stopping malicious code from logging user out. But just wondering, if there is a better approach where I don’t have to embed the csrf token to logout link.