#7989: Logout view should require POST request ---------------------------------------------+------------------------------ Reporter: jcassee | Owner: Status: reopened | Milestone: Component: Authentication | Version: SVN Resolution: | Keywords: authentication Stage: Design decision needed | Has_patch: 0 Needs_docs: 0 | Needs_tests: 0 Needs_better_patch: 0 | ---------------------------------------------+------------------------------ Changes (by SamBull):
* status: closed => reopened * resolution: wontfix => Comment: While I agree that the !JavaScript hack is ugly, I disagree with the wontfix ruling here. I think allowing GET-based logout on large social sites is problematic. It's trivial to wrap the logout view in another view that only allows POST, but such a view often has no sensible home in a django project. I don't see a good reason why the best practice isn't followed here. Requiring POST for these things is a potential nuisance, but it's the right thing to do. Requiring POST for language changes can be a nuisance as well. In the past I've been able to create GET-like behaviour for language selection by replacing the POST form with a link that triggers a hidden form submit, using jquery. It provides a nicer user experience when js is enabled but it gracefully degrades to a "logout" submit button otherwise. I'd be happy to provide a code sample here for how this could be applied to logout. I think backwards incompatibility concerns can be addressed with either an additional, optional parameter to the logout view or with an additional setting, called either "require_post" or "REQUIRE_POST_FOR_LOGOUT", respectively. The value would default to True. Developers would be free to change this to False so their GET-based logouts would still work. I apologize for reopening this ticket, but I feel strongly that state changing behaviour shouldn't be attached to GET requests, and that things get cruddier when that's allowed. If there's any interest in changing this behaviour, now that we are post-1.0, I would be happy to write a patch based on whichever method is preferred (no backwards compatibility, adding a param to logout, or adding a setting to settings) -- Ticket URL: <http://code.djangoproject.com/ticket/7989#comment:6> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~---