Closed Bug 1325898 Opened 9 years ago Closed 8 years ago

developer.mozilla.org. logout implemented as GET

Categories

(developer.mozilla.org Graveyard :: Sign-in, enhancement)

Product:
developer.mozilla.org Graveyard
Component:
Sign-in
Platform:
All
Other
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: safinaskar, Assigned: safwan)

References

Details

(Keywords: in-triage, Whiteboard: [specification][type:bug])

What did you do? ================ Implement logout from developer.mozilla.org as POST. You can websearch discussions about this. MDN itself says that "Requests using GET should only retrieve data" What happened? ============== - What should have happened? ========================== - Is there anything else we should know? ======================================
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: in-triage
We should enable the logout view in django allauth: http://django-allauth.readthedocs.io/en/latest/views.html#logout We currently have ACCOUNT_LOGOUT_ON_GET=True, which has been the setting since the site was converted to django-allauth. Making this change will probably require: 1) Creating a Jinja2 template for the logout page 2) Updating the header template 3) Updating functional tests that include a logout
:atopal - I think you've been assigned investigation of why sessions are dropped (bug #?). One reason to implement logout as a POST is that some browsers pre-fetch links on a page for efficiency, and pre-fetching the logout link will log you out: http://stackoverflow.com/a/14587231/10612
(In reply to John Whitlock [:jwhitlock] from comment #2) > :atopal - I think you've been assigned investigation of why sessions are > dropped (bug #?). One reason to implement logout as a POST is that some > browsers pre-fetch links on a page for efficiency, and pre-fetching the > logout link will log you out: > > http://stackoverflow.com/a/14587231/10612 Ha!
Safwan asked to take this one on IRC. He proposed an AJAX POST, I said plain POST, and now I think I'm caught up to his way of thinking. Currently, when you click "Sign Out", you follow the link to /en-US/users/signout, which signs you out and redirects you back to the original page. After the change, with JavaScript disabled, you instead go to a new page, which asks if you want to sign out. You click a submit button, which does a POST to /en-US/users/signout, and you are signed out, back on the page you started the process with. I believe this is what safwan was proposing, but also add an on-click event, so that if JavaScript is enabled, it is turned into a JS POST to /en-US/users/signout or similar, without having to go to the confirmation page. This would cause the "Sign Out" link to work like it currently does for most users. I think that's a stretch goal, but an excellent user experience with no security side-effects.
Assignee: nobody → safwan.rahman15
Status: NEW → ASSIGNED
Commits pushed to master at https://github.com/mozilla/kuma https://github.com/mozilla/kuma/commit/cafc336530ee708a0408339655fd8433b39d6b69 [Bug 1325898] Logout with POST method https://github.com/mozilla/kuma/commit/5df15e6020e00c52e9ec47abb29f0e8faffb98b4 Merge pull request #4134 from safwanrahman/logout-post [Bug 1325898] Logout with Post method
Commit pushed to master at https://github.com/mozilla/kuma https://github.com/mozilla/kuma/commit/b4430899293ae71b99f04454e9accb970783f485 bug 1325898: Merge pull request #4147 from jpetto/logout-post-color-fix-1325898 Fix 'Sign Out' color on zone pages.
Push to stage and production. Thanks safwan, jpetto!
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.