#7989: Logout view should require POST request
---------------------------------------------+------------------------------
Reporter: jcassee | Owner:
Status: reopened | Milestone:
Component: Authentication | Version: SVN
Resolution: | Keywords: authentication
Stage: Design decision needed | Has_patch: 0
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 0 |
---------------------------------------------+------------------------------
Changes (by SamBull):
* status: closed => reopened
* resolution: wontfix =>
Comment:
While I agree that the !JavaScript hack is ugly, I disagree with the
wontfix ruling here. I think allowing GET-based logout on large social
sites is problematic. It's trivial to wrap the logout view in another view
that only allows POST, but such a view often has no sensible home in a
django project.
I don't see a good reason why the best practice isn't followed here.
Requiring POST for these things is a potential nuisance, but it's the
right thing to do. Requiring POST for language changes can be a nuisance
as well. In the past I've been able to create GET-like behaviour for
language selection by replacing the POST form with a link that triggers a
hidden form submit, using jquery. It provides a nicer user experience when
js is enabled but it gracefully degrades to a "logout" submit button
otherwise. I'd be happy to provide a code sample here for how this could
be applied to logout.
I think backwards incompatibility concerns can be addressed with either an
additional, optional parameter to the logout view or with an additional
setting, called either "require_post" or "REQUIRE_POST_FOR_LOGOUT",
respectively. The value would default to True. Developers would be free to
change this to False so their GET-based logouts would still work.
I apologize for reopening this ticket, but I feel strongly that state
changing behaviour shouldn't be attached to GET requests, and that things
get cruddier when that's allowed. If there's any interest in changing this
behaviour, now that we are post-1.0, I would be happy to write a patch
based on whichever method is preferred (no backwards compatibility, adding
a param to logout, or adding a setting to settings)
--
Ticket URL: <http://code.djangoproject.com/ticket/7989#comment:6>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
