I've had a couple cases where browser link pre-fetching triggered
an unintended logout from my Django app (I haven't fully tracked down
the exact combination of triggering conditions, but I suspect they
similar to Israel Brewster's CherryPy issue mentioned on
comp.lang.python [1]) and was surprised that Django suffered the same
issue.
Researching, I found
https://code.djangoproject.com/ticket/15619
but see that it was last modified ~10mo ago, having been opened ~4yrs
ago. The current (development HEAD from git) versions of
django/contrib/auth/views.py:logout()
django/contrib/auth/__init__.py:logout()
still don't seem to contain any checks to ensure logouts can only
happen via POST rather than GET requests.
Is there any movement forward on resolving this so my browser
doesn't inconveniently boot me from the app when I don't intend to
log out?
-tkc
[1]
https://mail.python.org/pipermail/python-list/2014-December/682106.html
.