#15619: Logout link should be a form
------------------------------------------------+----------------------
Reporter: void | Owner: nobody
Status: closed | Milestone:
Component: django.contrib.admin | Version: SVN
Resolution: wontfix | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 |
------------------------------------------------+----------------------
Changes (by russellm):
* status: new => closed
* needs_docs: => 0
* resolution: => wontfix
* needs_tests: => 0
* needs_better_patch: => 0
Comment:
The [http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html HTTP spec] says
(9.1.1) that GET requests "[http://www.ietf.org/rfc/rfc2119.txt SHOULD
NOT] have the significance of taking an action other than retrieval", and
"ought to be considered 'safe'". It also says (9.1.2) that GET has the
property of idempotence. A logout link is idempotent. Therefore, we are
HTTP compliant.
As for CSRF; I fail to see why this is relevant. Given that there is no
incoming data, and no data processing, I cannot see an CSRF weakness, even
in-principle.
--
Ticket URL: <http://code.djangoproject.com/ticket/15619#comment:1>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
