Secure PHP Logout Script.

This is a short PHP tutorial on how to create a simple user logout script that guards against CSRF attacks.

CSRF attack.

In case you didn’t already know, CSRF stands for Cross-Site Request Forgery, which is a type of attack that tricks unsuspecting users into doing something that they didn’t intend on doing.

In the context of our logout system, such an attack could be used to trick unsuspecting users into logging out of the website.

Example.

Let’s take a look at the following example, which assumes that your logout script is located at logout.php:

1	<a href="logout.php">http://google.com</a>

The HTML link above will look like a link to Google’s website. However, if an unsuspecting user clicks on it, they will logged out of the system.

Session token.

When the user logs into your website, you should provide them with a cryptographically secure token. This token can then be used to validate certain actions and guard against CSRF attacks.

An example of what you might have in your login script:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

<?php   //start the session. session_start();   /** * The code below should be executed after the user has successfully logged in. * It can also be executed whenever you need to * give the user a new token. */   //create a cryptographically secure token. $userToken = bin2hex(openssl_random_pseudo_bytes(24));   //assign the token to a session variable. $_SESSION['user_token'] = $userToken;   //redirect user to home page header('Location: home.php'); exit;

In the PHP code above, we created a token and assigned it to a session token.

Our logout link.

The HTML link to out PHP logout script should look something like this:

1	<a href="logout.php?token=<?= $_SESSION['user_token'] ?>">Logout</a>

As you can see, the secure token that we gave the user when they logged into our system has been appended to the link in the form of a GET parameter called “token”.

Clicking on such a link will lead to a URL such as:

logout.php?token=27b87f10bb05279a749f19396b34d9550e7945213bec9d36

This will let our PHP logout script know what token was being used when the user clicked on the logout button.

Our PHP logout script.

Finally, in our PHP logout script, we validate the token in the query string by comparing it against the token that is stored in the user’s session:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

<?php   //Start the session as normal. session_start();   //For backward compatibility with the hash_equals function. //The hash_equals function was released in PHP 5.6.0. //It allows us to perform a timing attack safe string comparison. if(!function_exists('hash_equals')) {     function hash_equals($str1, $str2) {         if(strlen($str1) != strlen($str2)) {             return false;         } else {             $res = $str1 ^ $str2;             $ret = 0;             for($i = strlen($res) - 1; $i >= 0; $i--) $ret |= ord($res[$i]);             return !$ret;         }     } }   //Get the token from the query string. $queryStrToken = isset($_GET['token']) ? $_GET['token'] : '';   //If the token in the query string matches the token in the user's //session, then we can destroy the session and log them out. if(hash_equals($_SESSION['user_token'], $queryStrToken)){     //Token is correct. Destroy the session.     session_destroy();     //Redirect them back to the home page or something.     header('Location: index.php');     exit; }

If the token is valid, we destroy the user’s session using PHP’s session_destroy function. This particular function will destroy all data that is registered to a session. If the token is invalid, then nothing happens and the user is not logged out.