Michaelfax
New Member
What's the way the logout hashes are usually handled in php?on a lot of sites there's usually logout hashes to confirm that the user that's logging out is teh correct user, how is this usually handled ? Examples\[code\]http://domain.com/user/logout/nil4ytwojytjwoytjwy5tw5\[/code\]nil4ytwojytjwoytjwy5tw5 being the hashJust an update of my research so that others can see how this works.I figured out that this type of attack is mainly used with xero-byte images and iframes as such.if your logged into SITE A and your also browsing SITE B, SITE B cauld place lets say an image tag:\[code\]<img src="http://SITE_A.com/logout/" width="1" height="1" style="display:none" />\[/code\]and because therequest has actually come from the legitimate logged in user, the request is processed.by adding a validation value to important forms, such as transfer account, logout etc, the hacker cannot get this value and therefore the request would no be executed!Thanks for your help