#15619: Logout link should be a form
------------------------------------------------+----------------------
Reporter: void | Owner: nobody
Status: closed | Milestone:
Component: django.contrib.admin | Version: SVN
Resolution: wontfix | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 |
------------------------------------------------+----------------------
Comment (by void):
Logout link is idempotent, right. But GET /logout/ make a job other than
retrieval. It destroys a session. Deletes something. Imagine a bot which
crawl every link on the site. After visiting /logout/ the state of the
system will change and visiting every link will redirect to login form.
So, I think, in ideal world the /logout/ link should be visited only with
DELETE requests. Browsers doesn't allow DELETE (without XHR), so we have
two options to emulate it: with GET and with POST. For now it's GET. But
this GET is not really "safe", it deletes session.
--
Ticket URL: <http://code.djangoproject.com/ticket/15619#comment:2>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
