id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 9776,No CSRF protection for auth system logout view,Mez,nobody,"Having looked through the documentation, it seems that there is a sorely missed point. The logout function doesn't seem to have any form of CSRF protection that I can notice. Meaning that someone could easily place an image with the URL of http://www.yoursite.com/logout/ (or whatever the URL is) and make it so that anyone who views the page with the image on is logged out. This to me seems a massive oversight in the system, and I can foresee times where, due to a badly configured permission system, an admin cannot easily delete offending content which has an image or something similar to this in it. ",,closed,contrib.auth,1.0,,duplicate,csrf logout,,Unreviewed,0,0,0,0,0,0