From fad3d905baa9a38b40e8305afb40736aa6cfed89 Mon Sep 17 00:00:00 2001
From: ankushchk <ankush@Ankushs-MacBook-Air-2.local>
Date: Sun, 1 Mar 2026 19:40:10 +0530
Subject: [PATCH] fix: disable logout on GET to prevent CSRF logout attacks

---
 web/settings.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/web/settings.py b/web/settings.py
index 4ddcae8bb..1b67380a5 100644
--- a/web/settings.py
+++ b/web/settings.py
@@ -272,7 +272,9 @@
 ACCOUNT_REMEMBER_ME_FIELD = "remember"  # Match test field name
 ACCOUNT_LOGIN_ON_PASSWORD_RESET = True
 ACCOUNT_SIGNUP_PASSWORD_ENTER_TWICE = False
-ACCOUNT_LOGOUT_ON_GET = True
+# SECURITY: Must be False. Setting True allows any page to log out users
+# via a GET request (e.g. <img src="/accounts/logout/">), a CSRF attack vector.
+ACCOUNT_LOGOUT_ON_GET = False
 ACCOUNT_SIGNUP_EMAIL_ENTER_TWICE = False
 ACCOUNT_LOGOUT_ON_PASSWORD_CHANGE = False
 ACCOUNT_OLD_PASSWORD_FIELD_ENABLED = True