Hi everyone, there seems to be consensus that logging the client out on GET requests to the logout view is not great. Clients may try to prefetch links (this came up on IRC today). Attackers might annoy users by logging them out with embedded links to the logout URL.
The reason this was not changed yet is backwards compatibility. I'd like to propose deprecating logging out via GET with the usual deprecation cycle, so that we have the possibility to stop supporting it in Django 4.0. In my opinion, this is a fairly easy change for Django users to make upon a Django update. Some changes to Django itself will also have to be made (the admin templates), but I think it should be possible to do those before the 4.0 release. And even if that doesn't happen, emitting a DeprecationWarning in 3.1+ wouldn't harm, right? What do you think? I went ahead and created a PR for this: https://github.com/django/django/pull/12504 -- René Fleschenberg -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/9baf0189-fc7a-80a0-6543-559c2b2b186a%40fleschenberg.net.
