Should login and logout action have CSRF protection?

Possibly you should protect against Login CSRF. Without this protection an attacker can effectively reverse a CSRF attack. Rather than the victim being logged in to their own account and the attacker tries to ride the session by making requests to the site using the victim's cookies, they will be logging into the site under the attacker's credentials allowing the attacker to effectively hijack requests to the domain that the victim thought were anonymous or were under their own account and then sending it to the attacker's account. Of course whether this is relevant to your particular site or not depends on the nature of your site and whether something like this is advantageous to an attacker. An example is a Login CSRF attack on a search engine so the attacker can see the terms being searched for as they are logged under the attacker's account instead of the victim's.

The main targets for this type of attack is where authenticated actions can take place outside of the main application itself. e.g. from a browser plugin or widget embedded on another site. This is because these actions will be authenticated through the use of cookies, and if an attacker has you logged in as them each action will be recorded in their account.

You should also protect your logout mechanism against CSRF. At first it seems that all an attacker can do is logout the user, which would be annoying at worst. However, if you combine this with a phishing attack, the attacker may be able to entice the victim to re-login in using their own form and then capture the credentials. See here for a recent example - LostPass.


CSRF Protection on Logout is a must !

Why? Assume the following scenario:

  1. You're on a trading page and prepare a buying order for e.g. 1000 Daimlers on an Exchange XETRA.
  2. Until you are preparing the order, somebody, who knows that you are logged on https://anybrokerpage.com/ , sends a phishing link to you. e.g. https://anybrokerpage.com/logout
  3. By clicking the link, you are logged out and the order is perhaps not finished.
  4. After logging in again, you recognize that the price for the 1000 Daimlers is higher than a minute before you logged out by this phishing link.
  5. Now you have to order a higher price.

A CSRF Token on the logout would have prevented this mess.


Login? Yes. Logout? No.

Why login? There is this funny CSRF login attack, where the attacker logs in the victim under aa attacker-controlled account, and then can "gain control over content created by the victim while logged in under that account". The impact is pretty lame IMO, but they started to see this as a problem now that more juicy attack vectors are gone. ;-)

Why not logout? There is no security impact. The best one can do is to log someone out of the system, which causes annoyance at most.

EDIT: There is no security impact in logout CSRF attack by itself. There may be cases when this may be used in a multi-stage attack to first log someone out, then prompt them to log in on a spoofed page.