Sign out have to use POST

martenframework / marten

The pragmatic web framework.

https://martenframework.com

MIT License

396 stars 21 forks source link

Sign out have to use POST #184

Closed notramo closed 3 months ago

notramo commented 4 months ago

The generated auth app uses GET for signout. This has the following disadvantages.

An attacker can easily sign out anyone by simply redirecting the user from a malicious site to the sign-out endpoint with a simple HTTP 3xx redirect.
Turbo automatically prefetch <a> tag hrefs on mouseenter event, so when the user moves the mouse over the sign-out button, they are signed out.

I recommend using an empty <form> with only a CSRF token, and a <button>.

ellmetha commented 4 months ago

Technically, an even better strategy would be to use DELETE requests. But ultimately I agree with this and I think we can address this for the next major release.

notramo commented 4 months ago

Is it possible to have DELETE request with form submits? Does Marten support _method field in forms?

ellmetha commented 4 months ago

Does Marten support _method field in forms?

It doesn't at the moment but this could be a nice addition to the framework.