Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In theory yes, but I'd wager that most of the time logouts are just hyperlink (/account/signout, /logout, etc.). Unless you had a good reason to, you kinda have to go out of your way to make it a POST.


So you're saying that poorly-designed applications wouldn't work properly sometimes.


Poorly designed applications like this one? https://accounts.google.com/Logout


Yes. Imagine if everyone put the following code on their sites:

    <iframe src="https://accounts.google.com/Logout" width="0" height="0" ></iframe>


You could do the same with a POST by just running the following in a hidden iframe on your site:

  <form id="form" method="post" action="https://accounts.google.com/Logout"></form>
  <script>$('#form').submit()</script>
The correct way of dealing with this issue is to rely on CSRF tokens.


I believe that would be the point of <meta http-equiv="X-Frame-Options" content="deny">


That's like trying to duct tape your arm back on after losing a fight with a chainsaw.


<img src="https://accounts.google.com/Logout" style="display:none">

"X-Frame-Options" is used to defend against click-jacking attacks, not to defend against CSRF.


Yes.

What's your point? Google must be incapable of poor design? Everything a big company does is good?


I wanted to know what HN consensus was on this sort of thing, because it seems to me this is not something that inexperienced programmers do (like SQL injection).

Also, full disclosure: I work for Google.


this isn't poorly designed, there are the web specs and then there's the web itself and if it works then the spec need updating, there's no law that post should be used for session state, that was just someone writing it into an RFC, the fact that GET works just fine and a significant population of web apps use GET that way makes it reality more than any spec does.


Read a bit more about how this is a problem at http://abielinski.com/logout


Sweet, RequestPolicy protected me. ;)


You got me :)

This is the very essence of the problem.


Just because using GET to do destructive things "works" doesn't mean the spec should be changed to allow it. By your logic, we should just get rid of all requests except GET.

Someone sends you a link, you click it, it loads in your web browser telling you that you've sent them $5000. That is why POST, PUT, OPTIONS, and all the other methods exist.

This is most certainly poorly designed. Just because most web apps and web app developers suck doesn't mean that the freaking HTTP Standard should be changed.

Just no... please stop.


From a security point of view this is not good. An attacker can embed the logout link wherever (e.g. send a tweet) and logout your users. As said in the parent post, GETs should be idempotent and, in particular, not change any state.


I totally agree. What I'm outlining is that it is very convenient to implement it as a simple anchor tag, hence that is what you usually see in the wild.


Not the libraries' fault if you do something stupid.


That's what tokens are for but I agree that POST is the way to go.


I feel using a library like this would constitute a good reason.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: