subject:"\[Django\] #7989\: Logout view should require POST request"

Re: [Django] #7989: Logout view should require POST request

2012-09-22 Thread Django

#7989: Logout view should require POST request
-+-
 Reporter:  jcassee  |Owner:
 Type:  Uncategorized|   Status:  closed
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:  duplicate
 Keywords:  authentication   | Triage Stage:  Design
Has patch:  0|  decision needed
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-
Changes (by aaugustin):

 * status:  reopened => closed
 * resolution:   => duplicate


Comment:

 Reported again as #15619, with a longer discussion.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #7989: Logout view should require POST request

2012-09-21 Thread Django

#7989: Logout view should require POST request
-+-
 Reporter:  jcassee  |Owner:
 Type:  Uncategorized|   Status:  reopened
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  authentication   | Triage Stage:  Design
Has patch:  0|  decision needed
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-
Changes (by aaugustin):

 * status:  closed => reopened
 * severity:   => Normal
 * type:   => Uncategorized
 * easy:   => 0
 * ui_ux:   => 0
 * resolution:  wontfix =>


Comment:

 Tentatively reopening, see https://groups.google.com/d/topic/django-
 developers/ax95u_f82D4/discussion

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #7989: Logout view should require POST request

2008-12-20 Thread Django

#7989: Logout view should require POST request
-+--
  Reporter:  jcassee | Owner:
Status:  closed  | Milestone:
 Component:  Authentication  |   Version:  SVN   
Resolution:  wontfix |  Keywords:  authentication
 Stage:  Design decision needed  | Has_patch:  0 
Needs_docs:  0   |   Needs_tests:  0 
Needs_better_patch:  0   |  
-+--
Changes (by kmtracey):

  * status:  reopened => closed
  * resolution:  => wontfix

Comment:

 Please read: http://docs.djangoproject.com/en/dev/internals/contributing/

 where it says please do not reopen tickets that have been closed wontfix
 by a core developer.  The right way to get a wontfix decision reconsidered
 is to raise the issue on the developers list, where there will be a wider
 audience to participate and perhaps change the mind(s) of the
 individual(s) who decided to wontfix the ticket, or perhaps change your
 mind.  Or not, if there is not enough interest or no minds are amenable to
 changing.  At any rate on that list you can be somewhat sure anyone who
 might be at all interested in the issue will at least see the
 conversation, which cannot be said for updates made to individual tickets
 in the tracker.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #7989: Logout view should require POST request

2008-12-20 Thread Django

#7989: Logout view should require POST request
-+--
  Reporter:  jcassee | Owner:
Status:  reopened| Milestone:
 Component:  Authentication  |   Version:  SVN   
Resolution:  |  Keywords:  authentication
 Stage:  Design decision needed  | Has_patch:  0 
Needs_docs:  0   |   Needs_tests:  0 
Needs_better_patch:  0   |  
-+--
Comment (by Pyth):

 -0 is more like it.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #7989: Logout view should require POST request

2008-12-20 Thread Django

#7989: Logout view should require POST request
-+--
  Reporter:  jcassee | Owner:
Status:  reopened| Milestone:
 Component:  Authentication  |   Version:  SVN   
Resolution:  |  Keywords:  authentication
 Stage:  Design decision needed  | Has_patch:  0 
Needs_docs:  0   |   Needs_tests:  0 
Needs_better_patch:  0   |  
-+--
Comment (by Pyth):

 '''-1'''.   I find it unlikely that most developers are concerned about
 logout attacks for the nature of their application.  For the majority,
 this will add clutter and complicate things.  I appreciate that some
 people will want this functionality (I know I do), and it is trival to add
 on a per-project basis.

 As an alternative to the POST approach (with its accompanying annoyance of
 forms or JavaScript) you might create a per-session token to prevent blind
 attacks.  A small substring algorithmically derived from the session
 identifier might be sufficient, considering what's at stake here.  This
 way you could use '''/logout/a5b8/''' to log out.  At any rate, I think
 this should be up to the developer to add, while it would be acceptable
 for the documentation to raise awareness of this fact.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #7989: Logout view should require POST request

2008-12-20 Thread Django

#7989: Logout view should require POST request
-+--
  Reporter:  jcassee | Owner:
Status:  reopened| Milestone:
 Component:  Authentication  |   Version:  SVN   
Resolution:  |  Keywords:  authentication
 Stage:  Design decision needed  | Has_patch:  0 
Needs_docs:  0   |   Needs_tests:  0 
Needs_better_patch:  0   |  
-+--
Changes (by SamBull):

  * status:  closed => reopened
  * resolution:  wontfix =>

Comment:

 While I agree that the !JavaScript hack is ugly, I disagree with the
 wontfix ruling here. I think allowing GET-based logout on large social
 sites is problematic. It's trivial to wrap the logout view in another view
 that only allows POST, but such a view often has no sensible home in a
 django project.

 I don't see a good reason why the best practice isn't followed here.
 Requiring POST for these things is a potential nuisance, but it's the
 right thing to do. Requiring POST for language changes can be a nuisance
 as well. In the past I've been able to create GET-like behaviour for
 language selection by replacing the POST form with a link that triggers a
 hidden form submit, using jquery. It provides a nicer user experience when
 js is enabled but it gracefully degrades to a "logout" submit button
 otherwise. I'd be happy to provide a code sample here for how this could
 be applied to logout.

 I think backwards incompatibility concerns can be addressed with either an
 additional, optional parameter to the logout view or with an additional
 setting, called either "require_post" or "REQUIRE_POST_FOR_LOGOUT",
 respectively. The value would default to True. Developers would be free to
 change this to False so their GET-based logouts would still work.

 I apologize for reopening this ticket, but I feel strongly that state
 changing behaviour shouldn't be attached to GET requests, and that things
 get cruddier when that's allowed. If there's any interest in changing this
 behaviour, now that we are post-1.0, I would be happy to write a patch
 based on whichever method is preferred (no backwards compatibility, adding
 a param to logout, or adding a setting to settings)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #7989: Logout view should require POST request

Re: [Django] #7989: Logout view should require POST request

Re: [Django] #7989: Logout view should require POST request

Re: [Django] #7989: Logout view should require POST request

Re: [Django] #7989: Logout view should require POST request

Re: [Django] #7989: Logout view should require POST request

6 matches

Site Navigation

Mail list logo

Footer information