id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
9776	No CSRF protection for auth system logout view	Mez	nobody	"Having looked through the documentation, it seems that there is a sorely missed point.

The logout function doesn't seem to have any form of CSRF protection that I can notice. Meaning that someone could easily place an image with the URL of http://www.yoursite.com/logout/ (or whatever the URL is) and make it so that anyone who views the page with the image on is logged out.

This to me seems a massive oversight in the system, and I can foresee times where, due to a badly configured permission system, an admin cannot easily delete offending content which has an image or something similar to this in it.
"		closed	contrib.auth	1.0		duplicate	csrf logout		Unreviewed	0	0	0	0	0	0