Le 20 sept. 2012 à 20:03, Carl Meyer <c...@oddbird.net> a écrit : > FWIW I agree, and I think #7989 should be reopened. I do logout-via-POST > on all my projects nowadays to avoid logout CSRF, and it's really quite > simple. You can easily style a form button to look however you want > (including just like a link), so there's really no negative impact > besides slightly more markup in the template.
I'm also in favor of reconsidering #7989, because Django has become a widely-used, general-purpose framework, and it has a responsibility to promote good practices. For instance, readthedocs.org simply uses django.contrib.auth by the book [1], and thus is vulnerable to logout XSRF. (Disqus and Pinterest aren't vulnerable and RTD.org is the next site that crossed my mind — I'm not picking on RTD.org in any way.) Django should provide as much built-in security as possible, especially for low-budget sites that can't afford security consultants. > The only irritating bit is that the Django admin implements its own > logout via GET, so you have to subclass AdminSite to fix that if you're > using the admin. Let's update the admin base template and logout view to use POST. -- Aymeric. [1] https://docs.djangoproject.com/en/dev/topics/auth/ says: > For example, using the defaults, add the following line to your URLconf: > (r'^accounts/login/$', 'django.contrib.auth.views.login'), -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
