Author Topic: It is possible to logout an user with its cookies via POST request?  (Read 621 times)

Offline Glorfindel

  • Newbie
  • *
  • Posts: 3
My problem is that I'm running Roundcube in my Extjs application inside an iframe, when the users login in my application I send those credentials to one php via POST and this php use this credentials to login the user in the roundcube server, the php returns the cookies to users and its all good, the problem is the logout part, I want that when the user logout from my application,  it logouts too from the Roundcube server, im passing the roundcube_sessauth and roundcube_sessid cookies in the header and using ?_task=logout in the url, but I'm getting this error:


For your protection, access to this resource is secured against CSRF.
If you see this, you probably didn't log out before leaving the web application.

Human interaction is now required to continue.
Please contact your server-administrator.

Can someone explain if this is possible to accomplish or if I am doing something wrong?

Offline JohnDoh

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2,395
Re: It is possible to logout an user with its cookies via POST request?
« Reply #1 on: August 23, 2019, 02:00:09 AM »
i guess you are using a plugin to do the remote login into roundcube and i think in a similar way you would also need a plugin to do a remote logout, to bypass the standard CSRF. These 2 functions are what rc calls to do the logout:
Code: [Select]
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and moreā€¦