Logout form

Logout should be CSRF protected like any other user-performed action. The Perch Members app’s form handler currently does not handle a logout form; so most developers end up creatting a /logout page and use perch_member_log_out() function:


This approach is subject to cross-site request forgery where the attacker can log out the user. While logging out is perhaps a harmless action, if you want to protect this action against CSRF attacks, you can use the logout form:

<perch:form id="logout" app="pipit_members" method="post" r="/account">
    <perch:input type="submit" value="Log Out">
    <perch:input type="hidden" id="token" />

Note the use of the r attribute for redirecting to /account on success. Check out the available attributes.