User logout route is now CSRF protected

By klausi on 23 April 2024

Change record status:

Published (View all published change records)

Project:

Drupal core

Introduced in branch:

10.3.x

Introduced in version:

10.3.0

Issue links:

https://www.drupal.org/node/144538

Description:

The route user.logout (path /user/logout) now requires a CSRF token before logging out a user. If no CSRF token is provided in the URL, the user will be redirected to a confirmation form.

Any code that has the logout path hard coded should be updated to use URL-generating functions that will include the CSRF token automatically. Example for Twig:

Before

<a href="/user/logout">{{ 'Log out'|t }}</a>

After

<a href="{{ path('user.logout') }}">{{ 'Log out'|t }}</a>

If the code is not updated, the user will see the confirmation form after clicking the link.

Impacts:

Module developers

Themers

User logout route is now CSRF protected

News items

Our community

Documentation

Drupal code base

Governance of community