Problem/Motivation

Passing sensitive tokens (like access tokens, session tokens, or auth tokens) in the URL, especially during logout, is insecure. URLs are often logged in browser history, server logs, proxy logs, and analytics systems. This can lead to unintentional exposure of sensitive information and possible session hijacking if the token remains valid.

Steps to reproduce

While analyzing the logout functionality, it was observed that the token was passed in the URL as a query parameter ( https://new.drupal.org/user/logout?token=7Yl4PprbW-TUhdXVM2c39NySlPeWxPp...). This was identified by intercepting the logout request using Burp Suite, where the token value appeared in the request URL instead of a secure location like headers or request body.

Proposed resolution

● Do not pass sensitive tokens in the URL.
● Use HTTP headers (e.g., Authorization: Bearer ) or secure cookies.
● Use POST method for logout instead of GET to prevent caching and URL exposure.
● Ensure token invalidation: Invalidate the session or token immediately after logout to
prevent reuse.
● Implement secure logging: Mask or exclude sensitive values from logs and monitoring
tools.
● Use HTTPS: Always ensure tokens and sensitive data are transmitted over secure
connections.

Impact

1. Token Leakage in Logs: URLs can be stored in browser history, server access logs, or proxies, leading to token leakage.
2. Session Hijacking: If the token is not invalidated properly and is exposed through logs, an attacker may reuse it to impersonate the user.
3. Unintended Sharing: If users bookmark or share the URL, they might unknowingly expose the token.
4. Security Policy Violations: Violates security best practices and may impact compliance with data protection standards (e.g., GDPR, HIPAA).

Comments

bala_28 created an issue. See original summary.

bala_28’s picture

bala_28 commented
Parent issue: » #144538: User logout is vulnerable to CSRF
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Active » Postponed (maintainer needs more info)
Issue tags: -logout link, -logout problem, -CSRF Token

The token in question is not a sensitive token, in fact it was explicitly added to prevent a security issue. It is a CSRF token designed to ensure that the user actually requested the log out function and this has not been induced by an attacker.

If you are able to perform an attack using this token, please provide further information to the security team in private by following the instructions here: https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquett... - do not post any sensitive information in this public issue.

quietone’s picture

quietone commented
Title: Sensitive Information in Logout URL. » Sensitive Information in Logout URL
Version: 10.4.x-dev » 11.x-dev

In Drupal core changes are made on on 11.x (our main development branch) first, and are then back ported as needed according to the Core change policies. Thanks

prudloff’s picture

prudloff commented
Related issues: +#3384167: CSRF tokens in GET requests can be leaked and reused; stop encouraging server-site state changes with GET requests

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.

quietone’s picture

quietone commented
Status: Postponed (maintainer needs more info) » Closed (works as designed)
Issue tags: +Bug Smash Initiative

This was answer 10 months ago by a security team member. Therefor, closing this issue.

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.