Cherrypy - prevent browser "prefetch"?
Tim Chase
python.list at tim.thechases.com
Mon Dec 1 17:04:20 EST 2014
On 2014-12-01 22:44, Christoph M. Becker wrote:
> Tim Chase wrote:
> > haven't investigated recently, but I remember Django's ability to
> > trigger a log-out merely via a GET was something that irked me.
> >
> > All this to also say that performing non-idempotent actions on a
> > GET request is just begging for trouble. ;-)
>
> ACK. However, isn't log-out an idempotent action?
A minor note here...the OP talked about CherryPy and I've been in
Django-land too long that I started talking Django. I'd have
to pick open the scabs of my CherryPy experience to answer about CP.
But yes, it appears that Django's contrib.auth module still allows
for performing a logout/ on a GET (something I remember
encountering/researching several years ago) rather than limiting it to
a POST. As best I can tell, it doesn't even check the refer(r)er, so
this charmingly means that I can put a tag like
<img src="http://yoursite.example.com/logout/">
on *my* site, and it will log you out from yoursite.example.com
despite. Not even a CSRF-token check because it's not a POST.
-tkc
More information about the Python-list
mailing list