英文:
Spring logout GET vs POST
问题
我现在正在学习 Spring,并且刚刚使用 Spring 制作了第一个简单的注销功能。我知道可以通过向路径“/logout”发送 POST 请求来实现注销。但是为什么使用 GET 请求不足够呢?我尝试过搜索,但似乎搜索词有误,因为我只得到关于“为什么无法登录到 x”的结果。
英文:
I am learning spring at the moment and just made first simple logout with Spring. I know that I logout by makeing a POST request to path "/logout". But why is GET not enough? I tried Googling but it seems i have wrong search words, since I get only results on "why cant I login to x"
答案1
得分: 1
主要原因是很容易诱使用户点击指向 /logout
的链接,甚至通过 JavaScript 伪造请求。这至少会造成麻烦,甚至可能是某种试图引导用户在虚假网站上输入凭据的尝试的开端。使用 POST 方法会启动所有CSRF(跨站请求伪造)保护机制,使恶意或意外登出变得更加困难。
英文:
The major reason is that it's easy to trick the user into clicking on a link to /logout
or even forging the request via JavaScript. This is a nuisance at the least and can be the beginning of some kind of attempt to get the user to enter credentials into a fake site. Using POST brings all of the CSRF protection into play, making malicious or accidental logging out more difficult.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论