Changed logout routes to POST instead of GET

As per #3047. Also made some SAML specific fixes: - IDP initiated login was broken due to forced default session value. Double checked against OneLogin lib docs that this reverted logic was fine. - Changed how the saml login flow works to use 'withoutMiddleware' on the route instead of hacking out the session driver. This was due to the array driver (previously used for the hack) no longer being considered non-persistent.
2025-06-04 08:54:33 +08:00 · 2021-11-14 21:13:24 +00:00
parent fceb4ecc07
commit f910738a80
7 changed files with 26 additions and 27 deletions
--- a/resources/views/common/header.blade.php
+++ b/resources/views/common/header.blade.php
@ -71,11 +71,13 @@
                                <a href="{{ $currentUser->getEditUrl() }}">@icon('edit'){{ trans('common.edit_profile') }}</a>
                            </li>
                            <li>
-                                @if(config('auth.method') === 'saml2')
-                                    <a href="{{ url('/saml2/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>
-                                @else
-                                    <a href="{{ url('/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>
-                                @endif
+                                <form action="{{ url(config('auth.method') === 'saml2' ? '/saml2/logout' : '/logout') }}"
+                                      method="post">
+                                    {{ csrf_field() }}
+                                    <button class="text-muted icon-list-item text-primary">
+                                        @icon('logout'){{ trans('auth.logout') }}
+                                    </button>
+                                </form>
                            </li>
                            <li><hr></li>
                            <li>