Hi Antonio, On Fri, Sep 21, 2012 at 8:59 AM, Antonio Sanso <[email protected]> wrote:
> Hi *, > > by chance I had to give a look at the LogoutServlet (o.a.s.auth.core.impl) > and I have noticed that it does support out of the box GET and POST methods > and this is also not configurable. > As you know it would be better that the log out would work only for POST. > There are several example in the wild showing why... :) > > What do you think to do it at least configurable with POST method by > default ? > -0 to making this configurable -1 to making only POST supported by default This is obviously not backwards compatible. I'm unclear on the use case for configurability as logout is idempotent. Justin > Regards > > Antonio >
