Status of #15619: logout via POST, but not GET

Skip to first unread message

Tim Chase

Dec 3, 2014, 5:02:42 PM12/3/14
I've had a couple cases where browser link pre-fetching triggered
an unintended logout from my Django app (I haven't fully tracked down
the exact combination of triggering conditions, but I suspect they
similar to Israel Brewster's CherryPy issue mentioned on
comp.lang.python [1]) and was surprised that Django suffered the same

Researching, I found
but see that it was last modified ~10mo ago, having been opened ~4yrs
ago. The current (development HEAD from git) versions of


still don't seem to contain any checks to ensure logouts can only
happen via POST rather than GET requests.

Is there any movement forward on resolving this so my browser
doesn't inconveniently boot me from the app when I don't intend to
log out?




Tim Graham

Dec 3, 2014, 5:52:21 PM12/3/14
Hi Tim,

There's an open pull request, but it was opened over a year ago and has gone stale. Maybe you'd like to review and update it.

You can use the patch review checklist:

If you are happy with the patch after that, please mark the ticket as "ready for checkin" for a final review from a core developer.


Curtis Maloney

Dec 3, 2014, 6:48:48 PM12/3/14
Wasn't there a PR to turn all the auth views to CBV?

That would implicitly enforce the behaviour to POST-only, I would hope.


You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
To view this discussion on the web visit

For more options, visit

Tim Graham

Dec 3, 2014, 7:25:23 PM12/3/14
I think you're thinking of The latest patch appears to allow logout via GET, but even it enforced POST, there are still client-side (template) updates required to turn the logout links into form submissions so I think it should be considered an independent task (I may be missing your reasoning).

Marc Tamlyn

Dec 4, 2014, 2:18:32 AM12/4/14
From a brief look, the changes in the pull request do not appear to consider backwards compatibility at all, which would be important.

The argument that it's ok because it would now just show a confirmation page is insufficient as if someone had built a confirmation page there would now be two. Also it requires every user to ensure such a confirmation page fits the look of their website.

A possible solution would be to introduce a new view (logout_confirm) which describes the new behaviour and throw deprecation warnings on the old logout view.

In my opinion this change is not worth the backwards incompatibility.

Collin Anderson

Dec 4, 2014, 11:17:35 PM12/4/14
I was just thinking about this. I agree that a GET causing logout is wrong, and we need to not break things and I agree we need to keep the original view untouched so we don't break anything. _maybe_ deprecate it. The admin could begin using the new view right away.

On Wednesday, December 3, 2014 5:02:42 PM UTC-5, Tim Chase wrote:
Reply all
Reply to author
0 new messages