| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Jack Bonatakis <jack(at)bonatak(dot)is> |
| Cc: | Daniel Gustafsson <daniel(at)yesql(dot)se>, pgsql-www(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Unable to log out of postgresql.org |
| Date: | 2026-03-20 18:26:10 |
| Message-ID: | CABUevEzeBgmCaAnEy6jKh7viS5Ptuzi5i-sse01G8xE4XLtZfA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
Nice spot.
However, this fix won't work. Putting a csrf token on every page is
incompatible with the caching system we have in place.
One way to fix it would be to just allow logout GET again (I think this got
broken on a django upgrade where it wasn't tested). But maybe the better
way to fix it would be to have the logout link go to a page with a POST
form on it, and have that form do what the GET link does now. I assume the
GET is blocked because otherwise someone could trick a user, or redirect
them, to the logout URL and they get logged out. I'm not sure how realistic
or how big of a problem that is, but getting rid of it would not hurt...
Would you be interested in working on a patch for that as well?
//Magnus
On Fri, 20 Mar 2026 at 00:49, Jack Bonatakis <jack(at)bonatak(dot)is> wrote:
> Hi Daniel,
>
> Thanks for confirming. I took a look at the repo and have a fix that works
> locally. Please see the attached patch.
>
> Jack
>
> On Thu, Mar 19, 2026, at 6:21 PM, Daniel Gustafsson wrote:
>
> > On 19 Mar 2026, at 23:15, Jack Bonatakis <jack(at)bonatak(dot)is> wrote:
>
> > I seem unable to log out of postgresql.org. I have tried in multiple
> browsers and have received the same error each time.
>
> I can reproduce that as well.
>
> --
> Daniel Gustafsson
>
>
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jack Bonatakis | 2026-03-21 01:51:32 | Re: Unable to log out of postgresql.org |
| Previous Message | Jack Bonatakis | 2026-03-19 23:49:21 | Re: Unable to log out of postgresql.org |