1

I know that using button instead of anchor link in _LoginPartial.cshtml is to prevent cross domain GET requests, but I really need using anchor link to have a uniform nav-bar links. My question is: If I use anchor tag and use javascript code to call form submit method, will it be safe and prevent cross domain GET request? I mean replacing this code:

<button type="submit">Logout</button>

with this one:

<a href="javascript:document.getElementById('logoutForm').submit()"></a>
Amin
  • 221
  • 3
  • 13
  • The point of the button is actually to submit the logout request via POST, since GET requests are idempotent and should not have any side effects. CSRF is just gravy on top. If you need a link, you can either style the button as a link (which is really the optimal path, as stylistic appearance is the domain of CSS, not HTML or JavaScript.) or you can use JavaScript to submit the form on clicking your link. In either case, you should retain the request method as POST, not GET. – Chris Pratt Jul 02 '18 at 13:27

2 Answers2

2

The point about using a form there is that the form automatically includes a CSRF token. That token is what protects you against cross-site requests since it is only generated as part of the actual form, so not accessible from outside.

As long as that token is included and valid, you should be safe against CSRF. So yeah, submitting the form via JavaScript will be fine here.

Consider using a proper click event for your link though instead of javascript: links:

<a id="logout-link" href="#">Logout</a>

document.getElementById('logout-link').addEventListener('click', function (evt) {
    evt.preventDefault();
    document.getElementById('logoutForm').submit();
});
poke
  • 369,085
  • 72
  • 557
  • 602
1

It isn't necessary to change from a button to a link to achieve uniform nav-bar links. If you are using bootstrap you can make a button look like a link easily as shown, if not using bootstrap it is still possible to style a button to look like a link.

<button type="submit" class="btn btn-link">Logout</button>
Joe Audette
  • 35,330
  • 11
  • 106
  • 99
  • That does not really answer the question. – poke Jul 01 '18 at 19:12
  • I agree your answer more specifically answers the question asked, but he said he wants uniform navbar links, my answer shows how to do that without using a link instead of a button for logout. Sometimes people ask questions that have false assumptions, in this case a false assumption that only by using a link can he get uniform nav. – Joe Audette Jul 01 '18 at 19:24
  • @JoeAudette Thanks for your taking time. I know bootstrap and can say i'm professional in bootstrap coding, but in this project a predefined theme is used and it's really complicated. I tried to make changes to achieve my goal but i wasn't successful. By the way answering my question about cross-domain GET attack will increase my knowledge to use in other projects – Amin Jul 02 '18 at 05:46
  • Whoever downvoted this needs to go back to school. This answer is not only correct (and does in fact answer the question), but it's also the most optimal path. Saying that you were not able to style it properly is not a good excuse to go down a different and incorrect path. Learn how to use the CSS framework you're using (Bootstrap), do your research, etc. A button can be styled to look however you want it to look. – Chris Pratt Jul 02 '18 at 13:30