#7989: Logout view should require POST request
---------------------------------------------+------------------------------
          Reporter:  jcassee                 |         Owner:                
            Status:  reopened                |     Milestone:                
         Component:  Authentication          |       Version:  SVN           
        Resolution:                          |      Keywords:  authentication
             Stage:  Design decision needed  |     Has_patch:  0             
        Needs_docs:  0                       |   Needs_tests:  0             
Needs_better_patch:  0                       |  
---------------------------------------------+------------------------------
Comment (by Pyth):

 '''-1'''.   I find it unlikely that most developers are concerned about
 logout attacks for the nature of their application.  For the majority,
 this will add clutter and complicate things.  I appreciate that some
 people will want this functionality (I know I do), and it is trival to add
 on a per-project basis.

 As an alternative to the POST approach (with its accompanying annoyance of
 forms or JavaScript) you might create a per-session token to prevent blind
 attacks.  A small substring algorithmically derived from the session
 identifier might be sufficient, considering what's at stake here.  This
 way you could use '''/logout/a5b8/''' to log out.  At any rate, I think
 this should be up to the developer to add, while it would be acceptable
 for the documentation to raise awareness of this fact.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/7989#comment:7>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to