Logout view should require POST request
|Reported by:||Joost Cassee||Owned by:|
|Cc:||joost@…||Triage Stage:||Design decision needed|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
This ticket assumes that the mantra "GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval" is to be taken seriously and applied consistently. See for example ticket #3651.
The documentation on authentication suggests a logout view that takes a GET request ('How to log a user out'). Additionally, the django.contrib.auth.views.logout generic view accepts a GET request. This seems to go against the above principle, as it changes the internal state of the application.
Please consider a change for logout similar to the patch from ticket #3651. I am willing to do it myself if this ticket is accepted.
Change History (11)
comment:10 Changed 5 years ago by
|Status:||closed → reopened|