shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Demers (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SHIRO-595) Allow for POST only logout requests
Date Fri, 21 Oct 2016 14:15:58 GMT
Brian Demers created SHIRO-595:
----------------------------------

             Summary: Allow for POST only logout requests
                 Key: SHIRO-595
                 URL: https://issues.apache.org/jira/browse/SHIRO-595
             Project: Shiro
          Issue Type: Bug
            Reporter: Brian Demers


See:
http://stackoverflow.com/questions/3521290/logout-get-or-post

A logout causes a change of state, so should NOT be a GET.

Also, due to browser pre-fetching, a typing {{http://localhost:8080/log}} may cause a prefetch
to {{/logout}}

To stay backwards compatible, this need to be an op-in feature.

The proposed solution set a {{shiro.postOnlyLogout = true}} attribute, (same as {{logout.postOnlyLogout
= true}})






--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message