What's the way the logout hashes are usually handled in php?
on a lot of sites there's usually logout hashes to confirm that the user that's logging out is teh correct user, how is this usually handled ?
Examples
http://domain.com/user/logout/nil4ytwojytjwoytjwy5tw5
nil4ytwojytjwoytjwy5tw5 being the hash
Just an update of my research so that others can see how this works.
I figured out that this type of attack is mainly used with xero-byte images and iframes as such.
if your logged into SITE A and your also browsing SITE B, SITE B cauld place lets say an image tag:
<img src="http://SITE_A.com/logout/" width="1" height="1" style="display:none" />
and because therequest has actually come from the legitimate logged in user, the request is processed.
by adding a validation value to important forms, such as transfer account, logout etc, the hacker cannot get this value and therefore the request would no be executed!
Thanks for your help