You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Brian Demers (JIRA)" <ji...@apache.org> on 2016/10/21 14:15:58 UTC

[jira] [Created] (SHIRO-595) Allow for POST only logout requests

Brian Demers created SHIRO-595:
----------------------------------

             Summary: Allow for POST only logout requests
                 Key: SHIRO-595
                 URL: https://issues.apache.org/jira/browse/SHIRO-595
             Project: Shiro
          Issue Type: Bug
            Reporter: Brian Demers


See:
http://stackoverflow.com/questions/3521290/logout-get-or-post

A logout causes a change of state, so should NOT be a GET.

Also, due to browser pre-fetching, a typing {{http://localhost:8080/log}} may cause a prefetch to {{/logout}}

To stay backwards compatible, this need to be an op-in feature.

The proposed solution set a {{shiro.postOnlyLogout = true}} attribute, (same as {{logout.postOnlyLogout = true}})






--
This message was sent by Atlassian JIRA
(v6.3.4#6332)