春季注销 GET vs POST

huangapple go评论58阅读模式
英文:

Spring logout GET vs POST

问题

我现在正在学习 Spring,并且刚刚使用 Spring 制作了第一个简单的注销功能。我知道可以通过向路径“/logout”发送 POST 请求来实现注销。但是为什么使用 GET 请求不足够呢?我尝试过搜索,但似乎搜索词有误,因为我只得到关于“为什么无法登录到 x”的结果。

英文:

I am learning spring at the moment and just made first simple logout with Spring. I know that I logout by makeing a POST request to path "/logout". But why is GET not enough? I tried Googling but it seems i have wrong search words, since I get only results on "why cant I login to x"

答案1

得分: 1

主要原因是很容易诱使用户点击指向 /logout 的链接,甚至通过 JavaScript 伪造请求。这至少会造成麻烦,甚至可能是某种试图引导用户在虚假网站上输入凭据的尝试的开端。使用 POST 方法会启动所有CSRF(跨站请求伪造)保护机制,使恶意或意外登出变得更加困难。

英文:

The major reason is that it's easy to trick the user into clicking on a link to /logout or even forging the request via JavaScript. This is a nuisance at the least and can be the beginning of some kind of attempt to get the user to enter credentials into a fake site. Using POST brings all of the CSRF protection into play, making malicious or accidental logging out more difficult.

huangapple
  • 本文由 发表于 2020年9月22日 15:13:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/64004744.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定