You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Brian Demers (JIRA)" <ji...@apache.org> on 2016/10/21 14:15:58 UTC
[jira] [Created] (SHIRO-595) Allow for POST only logout requests
Brian Demers created SHIRO-595:
----------------------------------
Summary: Allow for POST only logout requests
Key: SHIRO-595
URL: https://issues.apache.org/jira/browse/SHIRO-595
Project: Shiro
Issue Type: Bug
Reporter: Brian Demers
See:
http://stackoverflow.com/questions/3521290/logout-get-or-post
A logout causes a change of state, so should NOT be a GET.
Also, due to browser pre-fetching, a typing {{http://localhost:8080/log}} may cause a prefetch to {{/logout}}
To stay backwards compatible, this need to be an op-in feature.
The proposed solution set a {{shiro.postOnlyLogout = true}} attribute, (same as {{logout.postOnlyLogout = true}})
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)