From a security point of view this is not good. An attacker can embed the logout... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ecesena on Feb 8, 2014 \| parent \| context \| favorite \| on: Show HN: JS library to make your website instant From a security point of view this is not good. An attacker can embed the logout link wherever (e.g. send a tweet) and logout your users. As said in the parent post, GETs should be idempotent and, in particular, not change any state.

yogo on Feb 8, 2014 | [–]

I totally agree. What I'm outlining is that it is very convenient to implement it as a simple anchor tag, hence that is what you usually see in the wild.

bpicolo on Feb 8, 2014 | | [–]

Not the libraries' fault if you do something stupid.

hnha on Feb 8, 2014 | [–]

That's what tokens are for but I agree that POST is the way to go.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact