On 2014-12-01 22:44, Christoph M. Becker wrote: > Tim Chase wrote: > > haven't investigated recently, but I remember Django's ability to > > trigger a log-out merely via a GET was something that irked me. > > > > All this to also say that performing non-idempotent actions on a > > GET request is just begging for trouble. ;-) > > ACK. However, isn't log-out an idempotent action?
A minor note here...the OP talked about CherryPy and I've been in Django-land too long that I started talking Django. I'd have to pick open the scabs of my CherryPy experience to answer about CP. But yes, it appears that Django's contrib.auth module still allows for performing a logout/ on a GET (something I remember encountering/researching several years ago) rather than limiting it to a POST. As best I can tell, it doesn't even check the refer(r)er, so this charmingly means that I can put a tag like <img src="http://yoursite.example.com/logout/"> on *my* site, and it will log you out from yoursite.example.com despite. Not even a CSRF-token check because it's not a POST. -tkc -- https://mail.python.org/mailman/listinfo/python-list