[openstreetmap/openstreetmap-website] Session.id unit test failures (#2488)
Andy Allan
notifications at github.com
Thu Jan 2 13:20:35 UTC 2020
I've been digging into this, since I found it strange that we need to use the session id in logout links in the first place. I found that the reason was to avoid people being logged out by simple get requests: https://trac.openstreetmap.org/ticket/2792 (10 years ago).
But why is the logout link a GET request in the first place? It changes state on the server, and is effectively "DELETEing a user session" (this is how Devise models it, for example). So I think the real fix might be to change the link and the action on the logout method, and that will mean we can avoid any worrying about the internal session id too.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/2488#issuecomment-570205193
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20200102/70a9d854/attachment.html>
More information about the rails-dev
mailing list