5

Within the context of a Laravel application, what is the significance of POSTing to perform a logout? Is there some security and/or session particularity that POSTing over just GETing?

The relevant portion from the generated make::auth:

<ul class="dropdown-menu" role="menu">
  <li>
    <a
      href="{{ url('/logout') }}"
      onclick="event.preventDefault();document.getElementById('logout-form').submit();">
      Logout
    </a>

    <form id="logout-form" action="{{ url('/logout') }}" method="POST" style="display: none;">
      {{ csrf_field() }}
    </form>
  </li>
</ul>
IGP
  • 14,160
  • 4
  • 26
  • 43
Chris
  • 54,599
  • 30
  • 149
  • 186
  • 1
    It is a matter of choice, but also has been [discussed before](http://stackoverflow.com/questions/3521290/logout-get-or-post) on Stackoverflow. – Rene Pot Aug 05 '16 at 13:05
  • 1
    In general any action which would change the server's state should be sent via POST. That's what the suggestion has always been. – apokryfos Aug 05 '16 at 13:10
  • RE: "Marked as duplicate" - When posted, I was asking in the context of laravel (I thought it was a particular feature of laravel), but can see how the broader "original" question can also apply – Chris Aug 05 '16 at 13:24

1 Answers1

6

GET requests are supposed to be "safe" and shouldn't have any significant side effects. It shouldn't matter, for example, if a precaching feature of a browser followed the link. That should just get some data.

Logging the user out would be a significant side effect, so GET would be inappropriate.

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335