#15619: Logout link should be protected
-------------------------------------+-------------------------------------
Reporter: Alexey Boriskin | Owner: René
Type: | Fleschenberg
Cleanup/optimization | Status: closed
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Michael):
Something that maybe more likely than XSS logout attack... is if some not
tech savy user clicks back, or navigates to the logged out url, and sees
the message "You are logged out", and thinks they are logged out now, and
its safe to close the browser, but actually since Logout only happens via
POST now, they are actually still logged in. Yes one can mitagate the
issue with some javascript on the logged out page, but maybe the average
developer might miss this point when reading:
https://docs.djangoproject.com/en/dev/releases/4.1/#log-out-via-get
--
Ticket URL: <https://code.djangoproject.com/ticket/15619#comment:49>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/010701828c97cc3c-516335e1-466c-44ed-a537-c96aaf662ad7-000000%40eu-central-1.amazonses.com.
