Never ever switch from :delete to :get for logout action in devise

monterail / guidelines

[DEPRECATED] We are Ruby on Rails experts from Poland. Think hussars. Solid & winged. These are our guidelines.

71 stars 17 forks source link

Never ever switch from :delete to :get for logout action in devise #171

Closed jandudulski closed 11 years ago

jandudulski commented 11 years ago

I know that using POST/DELETE for sign out action is kind of PITA but you don't want your users to be automagically signed out, do you?

Every action which changes the state of application should use CSRF token, including sign out. Homakov describes the problem on his blogpost.

/cc @teamon @sheerun @Ostrzy @chytreg @jcieslar @szajbus

szajbus commented 11 years ago

Why you mention devise specifically?

jandudulski commented 11 years ago

Sure, it's not just about devise. But I mention it because I've seen a lot of times that dev was switching default :delete to :get just in devise.

szajbus commented 11 years ago

I have mixed feelings.

I know it's against best practices (there is a change of state, so it should not be GET), but it's convenient for the users who somehow manage to send GET on the sign out link. Showing them 401 seems wrong.

sheerun commented 11 years ago

I would write avoid. Enabling GET for devise is not so bad, but for resources it is for security reasons.

jandudulski commented 11 years ago

:+1: @sheerun

teamon commented 11 years ago

@jandudulski

jandudulski commented 11 years ago

PR added.

sorry

teamon commented 11 years ago