LOGOUT GET or POST ?
Should I use a GET or POST request to logout a user ?
10 Replies
you shouldn't use GET for anything other than fetching data, any action that changes anything about state should be POST, if one of the other HTTP methods isn't more appropriate
Got it thanks @jochemm
GET information shows up in the address bar for the whole world to see
Just for grins, an argument could be made that a logout route should be PATCH. It's an update to a resource: the sessions info resource.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/PATCH
Wouldn't that make it a DELETE? You usually fully drop a session when logging out (or rather you should be)
Depends on if you consider the session store as a whole one resource or not. If each session info is its own resource then DELETE would work. I was going with PATCH under the assumption that all sessions were being stored in one resource, so you're only modifying the session store as a whole to remove the logged out user
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Microsoft uses get for both login and logout in their asp.net core docs. I find using non-get routes for pages the browser is meant to navigate to to be more of a hassle than it's worth . A get endpoint makes it easier to create a logout button since you just need to link to that route, no form required
logout I can kinda see, I've used GET for logout in the past, and it's a very simple action that doesn't really cause any issue if it's repeated accidentally... but GET for login just seems like a terrible idea, unless you really know what you're doing. If you're sending username and password, you end up with those in URLs, browser history, server logs, potentially proxy logs... Microsoft likely uses some get requests in redirects, their sign-in process seems to use a half-dozen of those at least, but I can't imagine they're submitting your actual credentials over GET
The get endpoint there just responds with the form to log in, in their samples, they of course use post to receive a username or password
But when implementing OAuth providers GET is also used