How is logout hashing typically handled in php?
on many sites, they usually exit the hashes to confirm that the user who logs out is the correct user, how is this usually handled?
Examples
http://domain.com/user/logout/nil4ytwojytjwoytjwy5tw5
nil4ytwojytjwoytjwy5tw5 is a hash
Just updating my research so others can see how it works.
I realized that this type of attack is mainly used with xero-byte images and iframes per se.
if you are logged into SITE A and your browser site SITE B, the site for SITE B is, say, an image tag:
<img src="http://SITE_A.com/logout/" width="1" height="1" style="display:none" />
and since the request does come from a legitimate registered user, the request is processed.
adding the validation value to important forms such as the transfer account, logout, etc., the hacker cannot get this value, and therefore the request will not be executed!
thanks for the help
source share