Logout route required to be POST

[deni-zen]

When I try to log out using the default settings with a fresh install, I get a MethodNotAllowedHttpException because although I am requesting "/logout" via GET, the routes file requires POST. Your unit tests are bad as well. I will submit a pull request that fixes this issue.

[deni-zen]

It occurred to me as I went to write a patch for this that maybe your intention was to require a POST for logout (as it is, I believe, technically, more correct to request a logout via POST). Before I go through the trouble of submitting a pull request, which of these was your intention?

[bretterer]

Yes. The logout route is set to POST for security reasons.

• Other sites can maliciously log you out via simple image tags. E.g. http://superlogout.com/ :)
• The omnibar in the browser will pre-emptibely request the logout URI if it thinks you are typing it, and log you out.

You can follow the ticket for this decision at https://github.com/stormpath/stormpath-framework-spec/issues/43 .

Was there some documentation that you found that still referenced Logout as a GET request that we need to update, or even a better way we can explain this in documentation for other developers that may have thought the same thing?

-Brian