Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Signing out

I wanted to add the signout to the menu (more prominently than the one hidden under the gear).
I noticed that the link to signing out has a parameter. When I played with adding the signout through the add menu items plugin I did it without the parameter and was able to sign out.
So the questions are:
1. What is the parameter for?
2. What's the impact of signing out without it?
0
Best Answer
-
x00 MVP
It is to do with CSRF
https://en.wikipedia.org/wiki/Cross-site_request_forgery
http://security.stackexchange.com/questions/62769/must-login-and-logout-action-have-csrf-protection
grep is your friend.
2
Answers
What parameter are you referring to?
The TransientKey?
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
Yes, indeed. I found out that I can sign out using "http://myforum.org/entry/signout" even though the link on the sign out on the gear has the transient key parameter (http://myforum.org/entry/signout?TransientKey=VMLQ4CGQB4LV).
So I want to know what's the effect of signing out without the transient key and curious as to what's its purpose.
It is to do with CSRF
https://en.wikipedia.org/wiki/Cross-site_request_forgery
http://security.stackexchange.com/questions/62769/must-login-and-logout-action-have-csrf-protection
grep is your friend.
It is clear that logout transient key is not being used in that case, as it mainly protect logins and postbacks.
Logout csrf is a lower impact, but could constitute "denial of client attack" or general harassment or possibly used with phishing.
grep is your friend.
So that brings up the questions of how do I add the signout request WITH the transient key to the AddMenuItem plugin?
becuase the signout check hasn't been implemented.
use
SignOutUrl
functiongrep is your friend.
@x00 - Thanks but the Add Menu Item settings expect a url. I don't know how to make that work with the SignOutUrl "function" ...