tags:

views:

306

answers:

11
+9  Q: 

Logout: GET or POST?

This question is not about when to use GET or POST in general; it is about which is the recommended one for handling logging out of a web application. I have found plenty of information on the differences between GET and POST in the general sense, but I did not find a definite answer for this particular scenario.

As a pragmatist, I'm inclined to use GET, because implementing it is way simpler than POST; just drop a simple link and you're done. This seems to be case with the vast majority of websites I can think of, at least from the top of my head. Even Stack Overflow handles logging out with GET.

The thing making me hesitate is the (albeit old) argument that some web accelerators/proxies pre-cache pages by going and retrieving every link they find in the page, so the user gets a faster response when she clicks on them. I'm not sure if this still applies, but if this was the case, then in theory a user with one of these accelerators would get kicked out of the application as soon as she logs in, because her accelerator would find and retrieve the logout link even if she never clicked on it.

Everything I have read so far suggest that POST should be used for "destructive actions", whereas actions that do not alter the internal state of the application -like querying and such- should be handled with GET. Based on this, the real question here is:

Is logging out of an application considered a destructive action/does it alter the internal state of the application?

A: 

Well if you let your web application abandon the session through a log out script, you usually don't need either. Normally there's a session variable that's unique for the session you want abandoned.

Rob  2010-08-19 11:35:46
Could you elaborate the "log out script"? I'm not sure if you are referring to setting a cookie expiration (which does not eliminate the need for a way of letting users manually logout.)
Daniel Liuzzi  2010-08-19 11:54:11
A log out script would end the session of the user (actually: browser) calling it. In ASP.net, the session is a server side object which can be abandoned. PHP has a similar system. Because that browser calls the script that ends the session, it already knows which one to end, eliminating the need for POST or GET variables.
Rob  2010-08-19 12:12:16
Yes, I get you now. I already have the script in place, specifically FormsAuthentication.SignOut(), but my question is about *how* to invoke the script, as in GET or POST.
Daniel Liuzzi  2010-08-19 12:23:23
Oh you have the url in a form? It doesn't matter if you're not passing any information to it. The worst thing that could happen is someone manually opening the script, logging themselves out. I wouldn't even make it a form field if not neccessary, a link to the script would work as well.If you DO send information to the script, I'd probably go for a POST, so as to not show any information to the user (unless they view the page source), and if they refresh they'll get a warning from their browser (page expired), which might be desirable.
Rob  2010-08-19 13:20:48
+2  A: 

To be correct, GET/POST (or other verbs) are actions on some resource (addressed by URL) - so its generally about resource's state and not about application state as such. So in true spirits, you should have a URL such as [host name]\[user name]\session, then 'DELETE' would be the correct verb for log out action.

Using [host name]\bla bla\logout as URL in not really an REST full way (IMO), so why debate about correct use of GET/POST on it?

Of course, I also use GET to an logout url in my applications :-)

VinayC  2010-08-19 11:37:11
In that case, I would then argue that having the [user name] part in the URL seems unnecessary, as users always logout from (i.e. DELETE) *their own* session; never other users' :-)
Daniel Liuzzi  2010-08-19 12:09:38
Not really - we are saying that session is an resource and we want to delete it. So for uniformly addressing any session, you need to have user name as a part of URL. Your argument is as good as saying issuing PUT action on [photo gallary]\pictures means you are adding to your photos (available at [photo gallary]\[user name]\pictures). Different resources has to be addressed explicitly, there can't be any implicitness into it. The site may allow other users to add pictures to your gallery - it would be a part of access control just as you can have a super user who can kill anybody's sessions.
VinayC  2010-08-19 13:06:44
Philosophically speaking, you could call sessions and photos 'resources', but realistically I wouldn't treat them the same. Session are always intrinsically restricted to the current user (hence the name Session) and, at least in ASP.NET, there is no way of accessing another user's sessions. Even the application developer has no direct way of enumerating all active sessions, or means to kill sessions individually. You could restart the application to kill all sessions (InProc), but I wouldn't call that access control. URLs aside, the question still remains: GET or POST?
Daniel Liuzzi  2010-08-19 13:31:24
Resource, hence its address (URL) are important part of REST. So if you choose URL as I said, DELETE becomes the correct word - not GET or POST.Also, even if you are limiting yourself to ASP.NET, you can always have your custom state provider that can give you way to enumerate through sessions and kill other sessions if needed. For out of box in-proc sessions, some fiddling in global.asax should give you the functionality. Its really a question of whether such functionality would be needed or not. For infrequent needs, folks tend to re-start web site to kick people out of site.
VinayC  2010-08-19 13:56:21
+1  A: 

The reason to avoid GET, as you observed, is "destructive actions," or actions that alter state. These are the things that you really don't want Google's Spider to do. For instance, deleting products from your catalog or placing fake orders is one of these things. Logout alters state in your application; it is thus also a destructive action.

In the case of logging out, though, you can't possibly go wrong: how is a web spider going to accidentally log in, in the first place? If GET is easier to implement, then you should do it.

(Pedantically speaking, I believe logging out should DELETE a "session" object.)

Andres Jaan Tack  2010-08-19 11:38:20
That's the reason I used web accelerators in my example. As opposed to spiders, web accelerators can have access to the session state (think a Firefox extension), and could theoretically be crawling password-protected areas of the site, i.e. where a logout link would likely be.
Daniel Liuzzi  2010-08-19 11:48:05
Ah, I skimmed over that part. Still, though, take the low-hanging fruit and start with GET. Later on, if you can reproduce the problem easily and/or if users complain, I'd go through the pain of POST/DELETE requests then. YAGNI.
Andres Jaan Tack  2010-08-19 14:32:11
+1  A: 

The scenario of pre-caching is an interesting one. But I'm guessing that if lots of sites inc SO do not worry about this then maybe you shouldn't either.

Or perhaps the link could be implemented in javascript?

Edit: As I understand it, technically a GET should be for read-only requests, that do not change application state. A POST should be for write/edit requests that change state. However other application issues might prefer GET over POST for some state-changing requests, and I do not think there is any problem with this.

Richard  2010-08-19 11:39:53
@Richard - Thanks. The *DB* state wouldn't be changed, but the *session* state would. The only problem I see is the one I mentioned in the question, about users getting kicked out. Non-destructive but rather annoying. I usually go by the "if the big guys do it, then it must be OK" mantra too. I just wanted to know what opinion others have on this.
Daniel Liuzzi  2010-08-19 13:09:53
+3  A: 

Logging out does nothing to the application itself. It changes the user's state in relation to the application. In this case, it appears your question is more based on how should the command be initiated from the user to begin this action. Since this is not a "destructive action", sure the session is abandoned or destroyed but neither your application or your data is altered, it is not infeasible to allow both methods to initiate a log out procedure. The post should be used by any user initiated actions (e.g. - user clicks "Log out"), while get could be reserved for application initiated log outs (e.g. - an exception detecting potential user intrusion forcibly redirects to the login page with a logout GET).

Joel Etherton  2010-08-19 11:43:32
Interesting; I never thought of it this way. +1.
strager  2010-08-19 11:47:34
This could conceivably depend on the application (some kind of "cascading delete" behavior), but you're right.
Andres Jaan Tack  2010-08-19 14:35:31
A: 

in my source code, it only set cookies...

eyhelchiu  2010-08-19 11:50:28
I'm sorry but I have no idea what you're trying to say...
Daniel Liuzzi  2010-08-19 12:00:51
A: 

If you use a form submission (using GET) to log out, instead of a link, your problem is solved as no accelerator would auto submit a form.

AlexW  2010-08-19 12:10:10
I understand forms can also issue GET requests, but to me the main reason to use GET is to eliminate the form in the first place; if I have to bother with a form, then I might as well use POST. I'm using ASP.NET MVC, so nearly no difference in code in the controllers (i.e. [HttpGet] vs. [HttpPost])
Daniel Liuzzi  2010-08-19 12:17:17
True. But as I'm sure you know, any Accelerator cannot follow forms automatically, so a good old fashioned form is your best bet here. I use ASP too and I know extra Forms can be a pain.
AlexW  2010-08-19 12:24:18
+4  A: 

In REST there should be no session, therefore there is nothing to destroy. A REST client authenticates on every request. Logged in, or out, it's just an illusion.

What you are really asking is should the browser continue sending the authentication information on every request.

Arguably, if your application does create the illusion of being logged in, then you should be able to to "log out" using javascript. No round trip required.

Fielding Dissertation - Section 5.1.3

each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client

Darrel Miller  2010-08-19 12:30:57
I actually was not aware of this. Then I guess my app won't be very RESTful at all, as I'm using ASP.NET MVC with FormsAuthentication and it relies on sessions...
Daniel Liuzzi  2010-08-19 12:40:10
@Daniel I added the relevant section from the definition of REST.
Darrel Miller  2010-08-19 12:56:58
@Darren - Good read, thanks. Bookmarked :)
Daniel Liuzzi  2010-08-19 13:01:19
but in practice the login info is kept in a cookie marked with the `httponly` attribute to prevent some xss risks, which means it can only be reset from the server (short of manually clearing the cookie)
Remus Rusanu  2010-08-19 14:41:32
@Remus What's wrong with manually clearing the cookie?
Darrel Miller  2010-08-19 18:44:07
'Manual' as in the user goes to the Browser settings and chooses the 'Clear cookies' option. Hardly an acceptable way to 'log off' a web site.
Remus Rusanu  2010-08-19 19:39:37
@Remus Ahhh, how the illustrious web browser makes writing web apps so painful.
Darrel Miller  2010-08-19 20:27:35
+1  A: 

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out.

Raveren  2010-08-19 13:01:47
No, this is not right. A log out link will only work if the correct cookie data is sent, which it will not be from another domain. And even if the session id is stored in the url, that wouldn't work either as these change for every session.
Richard  2010-08-19 13:36:16
Wow, I never thought of that! So there, another reason not to use GET, and another reason I don't understand why everybody does it. Damn it, now I'm temped to include a http://stackoverflow.com/users/logout "image" too my post and see what happens :-D
Daniel Liuzzi  2010-08-19 13:45:30
@Richard - Makes sense, but the problem would exist in community-driven sites such as SO, right? The domain would be the same in this case.
Daniel Liuzzi  2010-08-19 13:53:35
@Daniel: I'm not sure cookie data is sent with an image request - although I never thought about this! But I doubt it.
Richard  2010-08-19 14:10:29
src= is a simple browser request, it does not come from server side, but from the client. It carries all cookies and comes from the user IP. That is why ad tracking pixels work. Only way to determine such exploit would be to check the referrer.
Raveren  2010-08-19 15:32:53
@Raveren: Checking the referrer could work, but unfortunately it isn't very reliable, as it merely is a header sent by the browser, so it's trivial to alter/fake. Namely, there's a Firefox extension called RefControl (https://addons.mozilla.org/firefox/addon/953) that allows you to do just this.
Daniel Liuzzi  2010-08-19 23:29:02
A: 

Simple answer: I almost always use GET. I haven't had a problem and many other sites also do this.

David Radcliffe  2010-08-19 13:08:52
A: 

I don't see how loging out (de-elevating user permissions) is a desctructive action. Thats because the "logout" action should be only available to users that are already logged in else it would be obsolete.

A random generated string contained in your browser cookies is all representing your user session. There are tons of ways to destroy it so effectively logging out is merely a service to your visitor.

jpluijmers  2010-08-19 21:18:49

related questions

What is the best architecture to bridge to XMPP?
How to expose a collection property?
How do you build a ratings implementation?
Alternative "architectural" approaches to javaScript client code?
Split data access class into reader and writer or combine them?
Guide to choosing between REST vs SOAP services?
Best architecture for handling file system changes?
Globalization architecture
How Did You Decide Between WISA and LAMP?
Best Blogs for Software Architecture
Experience documentation about Shared Nothing Architecture
Agile architectures
VS.NET Application Diagrams
Documenting program architecture
Books for software architect
How do you do system integration?
Design debate: what are good ways to store and manipulate versioned objects?
Passing more parameters in C function pointers
Send messages to program through command line
Interfaces on different logic layers
How to structure a java application, in other words: where do I put my classes?
Are there any negative reasons to use an N-Tier solution?
Linux - files and scripts that execute on boot
Good STL-like library for C.
Best way to allow plugins for a PHP application