On 09/20/2012 11:52 AM, Adam Taylor wrote: > I recently read the Coding Horror article Cross-Site Request Forgeries > and You > <http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html>, > which suggests requiring an HTTP POST form submission for logging out. > This same suggestion is implied in the Django book (chapter 16's "A > Simple CSRF Example" section > <http://www.djangobook.com/en/2.0/chapter16/#cn160>). Then I found > Django ticket #7989 Logout view should require POST request > <https://code.djangoproject.com/ticket/7989>. I think that the "secure > by default" mentality should be applied here, just like how variables > are escaped by default in templates (you have to explicitly say that you > /don't/ want them escaped).
FWIW I agree, and I think #7989 should be reopened. I do logout-via-POST on all my projects nowadays to avoid logout CSRF, and it's really quite simple. You can easily style a form button to look however you want (including just like a link), so there's really no negative impact besides slightly more markup in the template. The only irritating bit is that the Django admin implements its own logout via GET, so you have to subclass AdminSite to fix that if you're using the admin. Carl -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
