Basically anything triggering an action can be affected. The action ca be triggered involuntarily on the users behalf, that's the actual problem. A CSRF Token prevents this.
Publishing a post, deleting your account, changing profile name, posting this comment, liking a post, ....
Depends on the application.
but I don't think logout is harmful, can u gimme another example pls?
Hm, that was a bad example.
Basically anything triggering an action can be affected. The action ca be triggered involuntarily on the users behalf, that's the actual problem. A CSRF Token prevents this.
Publishing a post, deleting your account, changing profile name, posting this comment, liking a post, ....
Depends on the application.
See owasp.org/www-community/attacks/csrf for more information
I see, that's make sense. That's why CSRF Token will be regenerated for every request. Thanks, gonna read that soon
but, what if I alr handle that using token based auth? do I still need that?
login submit involuntarily
it can't be triggered if there's no valid creds and the resources is protected with token based auth