26

How to disable the intermediate signout page from django allauth. When the user clicks on the signout link on my site I want him to logout right away, I want to remove this intermediate page Screenshot of signout intermediate page

Mayank
  • 2,333
  • 3
  • 17
  • 23

3 Answers3

47

Set ACCOUNT_LOGOUT_ON_GET to True in your settings.

Also see the documentation

knbk
  • 52,111
  • 9
  • 124
  • 122
  • 3
    This shouldn't be done over `GET`, because anybody can `` and get you signed out without you ever knowing it. https://stackoverflow.com/questions/3521290/logout-get-or-post – ryancey Nov 06 '18 at 15:56
  • 1
    What's wrong with being unknowingly logged out? If anything, that should be a feature, not a bug =) – Will Gordon Jan 31 '19 at 18:29
  • Answers by Kalob and Adam are more useful. Even allauth doc says- "GET is not designed to modify the server state, and in this case it can be dangerous." It's pretty easy to do it with a post. – Vivek Singh Jul 09 '20 at 08:24
10

Using a GET request is probably a bad idea due to browsers prefetching urls from the URL bar. Chrome (as of right now) is pretty bad for this; it'll send a GET request to pages it think you'll hit enter on when typing in your URL bar.

Plus, people can add a link such as <img src="https://example.com/account/logout/"> and you'll be logged out. That's not a security risk since it's logging you out, but it is certainly annoying for your users.

Instead, you should consider using a POST request using a form with CSRF. Django Allauth already comes with this. Here's the <form> from the intermediate signout page:

<form method="post" action="{% url 'account_logout' %}">
  {% csrf_token %}
  {% if redirect_field_value %}
    <input type="hidden" name="{{ redirect_field_name }}" value="{{ redirect_field_value }}"/>
  {% endif %}
  <button class="STYLE_ME" type="submit">Logout</button>
</form>

In my case, I just added this to the site header and made the submit <button> look like every other link using CSS so it feels the same to them, but the form will use a POST request.

But if that's not a solution you can implement for any reason, open your settings.py file (or your main settings file) and set:

ACCOUNT_LOGOUT_ON_GET = True

^ The above setting will do what you need. For further Django Allauth settings, check out their configuration page.

Oleg Valter is with Ukraine
  • 9,619
  • 8
  • 37
  • 59
Kalob Taulien
  • 1,817
  • 17
  • 22
3

Here's another shortcut for preserving the POST request, if you don't want to mess with styling the form button with something like this:

Hide the form:

<form style='display: none;' method="post" action="{% url 'account_logout' %}">
  {% csrf_token %}
  <input type="hidden" name="next" value="/redirect_target/"/>
  <button id="signOutBtn" type="submit">Logout</button>
</form>

Submit with a click event attached to whatever element you've already styled:

$(document).on('click', '#signOutLink', function() {
    $('#signOutBtn').click()
});
Adam Starrh
  • 6,428
  • 8
  • 50
  • 89