From 7660bd9c5cca3c46cbe9eef105798ac4c2c84118 Mon Sep 17 00:00:00 2001
From: Hamid Samak <hamidreza.samak@gmail.com>
Date: Wed, 16 Feb 2022 10:29:26 +0330
Subject: [PATCH] Add token for logout action URL

---
 pheditor.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/pheditor.php b/pheditor.php
index bf42dd0..61c6a21 100755
--- a/pheditor.php
+++ b/pheditor.php
@@ -175,9 +175,11 @@
 }
 
 if (isset($_GET['logout'])) {
-	unset($_SESSION['pheditor_admin']);
+	if ($_GET['logout'] == $_SESSION['pheditor_token']) {
+		unset($_SESSION['pheditor_admin']);
 
-	session_destroy();
+		session_destroy();
+	}
 
 	redirect();
 }
@@ -1670,7 +1672,7 @@ function getCookie(name) {
 						<label class="custom-control-label" for="dark_mode"><i class="far fa-moon"></i></label>
 					</div>
 
-					<?php if (in_array('changepassword', $permissions)) { ?><a href="javascript:void(0);" class="change-password btn btn-sm btn-primary"><i class="fas fa-key"></i></a> &nbsp; <?php } ?><a href="<?= $_SERVER['SCRIPT_NAME'] ?>?logout=1" class="btn btn-sm btn-danger"><i class="fas fa-sign-out-alt"></i></a>
+					<?php if (in_array('changepassword', $permissions)) { ?><a href="javascript:void(0);" class="change-password btn btn-sm btn-primary"><i class="fas fa-key"></i></a> &nbsp; <?php } ?><a href="<?= $_SERVER['SCRIPT_NAME'] ?>?logout=<?= $_SESSION['pheditor_token'] ?>" class="btn btn-sm btn-danger"><i class="fas fa-sign-out-alt"></i></a>
 				</div>
 			</div>
 		</div>