On 5 Jun 2009, at 00:36,
noah_mendelsohn@... wrote:
> Granting that naive users won't know to do this, and even
> sophisticated
> users can easily forget: to what extent can individuals protect
> themselves
> by logging off from one site before visiting another.
In theory, that would help (though there are some tricks to cause
logins when form fillers are active).
The real point here is, though, that today's web browsers will run
several web applications at the same time; these applications might
come from different origins, depend on each other, and talk to each
other.
In that circumstance, a "log out to prevent XSRF" practice just
doesn't make sense.
