Hi Felix
On Sep 21, 2012, at 4:22 PM, Felix Meschberger wrote: Hi, Am 21.09.2012 um 14:59 schrieb Antonio Sanso: Hi *, by chance I had to give a look at the LogoutServlet (o.a.s.auth.core.impl) and I have noticed that it does support out of the box GET and POST methods and this is also not configurable. As you know it would be better that the log out would work only for POST. There are several example in the wild showing why... :) Can you provide links and risks ? Thanks. one simple one: For example, your sign-out should only work as a POST request so that someone cannot make your users sign out by just including an <img> tag in their forum signature. taken from [0]. I would not call the risks but annoyance and all the other example are kind of similar... Regards Antonio [0] http://duruk.net/some-web-development-tips/ (for my testing GET /system/sling/logout.html was really helpful because I can use the browser. But the same holds for GET /content/page?action=delete which we do not have any longer for obvious reasons ;-) ) What do you think to do it at least configurable with POST method by default ? +1 given some links. Regards Felix
