#7989: Logout view should require POST request
---------------------------------------------+------------------------------
Reporter: jcassee | Owner:
Status: reopened | Milestone:
Component: Authentication | Version: SVN
Resolution: | Keywords: authentication
Stage: Design decision needed | Has_patch: 0
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 0 |
---------------------------------------------+------------------------------
Comment (by Pyth):
'''-1'''. I find it unlikely that most developers are concerned about
logout attacks for the nature of their application. For the majority,
this will add clutter and complicate things. I appreciate that some
people will want this functionality (I know I do), and it is trival to add
on a per-project basis.
As an alternative to the POST approach (with its accompanying annoyance of
forms or JavaScript) you might create a per-session token to prevent blind
attacks. A small substring algorithmically derived from the session
identifier might be sufficient, considering what's at stake here. This
way you could use '''/logout/a5b8/''' to log out. At any rate, I think
this should be up to the developer to add, while it would be acceptable
for the documentation to raise awareness of this fact.
--
Ticket URL: <http://code.djangoproject.com/ticket/7989#comment:7>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
