Hi, Am 21.09.2012 um 14:59 schrieb Antonio Sanso:
> Hi *, > > by chance I had to give a look at the LogoutServlet (o.a.s.auth.core.impl) > and I have noticed that it does support out of the box GET and POST methods > and this is also not configurable. > As you know it would be better that the log out would work only for POST. > There are several example in the wild showing why... :) Can you provide links and risks ? Thanks. (for my testing GET /system/sling/logout.html was really helpful because I can use the browser. But the same holds for GET /content/page?action=delete which we do not have any longer for obvious reasons ;-) ) > > What do you think to do it at least configurable with POST method by default ? +1 given some links. Regards Felix
