Shouldn't logout be a POST?

1272 views
Skip to first unread message

rasmusrn

unread,
Oct 30, 2009, 6:22:52 PM10/30/09
to Devise
Hi there,

Jose Valim/Plataformatac, thank you very much for devise. I just setup
authentication using it, and I LOVE it. I especially love my project
is not filled with a lot of generated code (like with
restful_authentication).

I want to ask you why the destroy_user_session is a GET request? As it
changes the state of the server is cannot be considered idempotent,
and thus should not be a GET request. At least that's my
understanding.
(http://www.cs.tut.fi/~jkorpela/forms/methods.html)

I'd like to hear the author's opinion on this please.

Thank you.

José Valim

unread,
Oct 30, 2009, 7:06:03 PM10/30/09
to plataforma...@googlegroups.com
In theory, I think it should really be a DELETE since we are deleting a resource in the server.

But, to implement this, we would have to do one of the following options:

1) Use link_to("Sign out", :method => :delete) which requires javascript. But I do not consider valid to assume that your users need javascript enabled to sign out.

2) Use a form where the button is styled as link. But this is too complicated for the developer.

So I chose the simplest way, which is allow a GET request. Since sessions is not a resource consumable through an API (it's just for browsers), it's not a bad hypothesis at all.

Do you agree? :)

Regards,
--
José Valim

rasmusrn

unread,
Oct 30, 2009, 7:40:06 PM10/30/09
to Devise
Thank you for your reply.

I do not agree that it ideally should be a DELETE request. DELETE
should only be used when you're actually deleting the resource
specified by the URI. And since it does not make sense to say, that we
are deleting the users/sign_out resource, I think DELETE should not be
used. POST would be more appropriate.

Have a look at the description of DELETE here:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

That being said, I agree that it is wrong to require javascript to
logout. I can now understand why you chose GET.

Most of my sites rely heavily on javascript (you cannot use them
without it enabled), and for these sites I'd personally prefer if I
could somehow customize Devise to make sign out a POST request. I'd
then setup the logout link using a technique like the ones I've
described here:
http://rrn.dk/unobtrusive-javascript-in-rails-using-prototype

For example: <a href="/users/sign_out" class="post">Logout</a>

If you feel this is too much of a "special case" to include it in
Devise, I can understand that.

Ideally, I'd rather write something like <a href="/users/sign_out"
method="post">Logout</a> (without the use of javascript at all), but I
think we'll have to wait a little while before browsers allow us to do
that ;-)

Regards,
Rasmus

José Valim

unread,
Oct 30, 2009, 7:49:27 PM10/30/09
to plataforma...@googlegroups.com
Agreed on POST. :)

For example: <a href="/users/sign_out" class="post">Logout</a>

But that would work only if I have javascript enabled and/or I allow both post and get requests.
I can definitely accept a patch that make it work with both POST and GET. :)

Ideally, I'd rather write something like <a href="/users/sign_out"
method="post">Logout</a> (without the use of javascript at all), but I
think we'll have to wait a little while before browsers allow us to do
that ;-)

Oh yeah! Can't wait until this day! :)

Thanks for your feedback as well Rasmus!

Regards!

--
José Valim
Reply all
Reply to author
Forward
0 new messages