Logout: GET or POST?

rest post architecture get

Use POST.

In 2010, using GET was probably an acceptable answer. But today (in 2013), browsers will pre-fetch pages they "think" you will visit next.

Here is one of the StackOverflow developers talking about this issue on twitter:

I'd like to thank my bank for making log off a GET request, and the Chrome team for handy URL prefetching.- Nick Craver (@Nick_Craver) January 29, 2013

fun fact: StackOverflow used to handle log-out via GET, but not anymore.


In REST there should be no session, therefore there is nothing to destroy. A REST client authenticates on every request. Logged in, or out, it's just an illusion.

What you are really asking is should the browser continue sending the authentication information on every request.

Arguably, if your application does create the illusion of being logged in, then you should be able to to "log out" using javascript. No round trip required.

Fielding Dissertation - Section 5.1.3

each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client

Related

How to return a string value from a Bash function
What is duck typing?
Seeking useful Eclipse Java code templates [closed]
How to compare two tags with git?
How can I make my match non greedy in vim?
How to check if a file exists from inside a batch file [duplicate]
Safely casting long to int in Java
How can I pass an argument to a PowerShell script?
Where is my .vimrc file?
Why do you drive on a "parkway", and park on a "driveway"?
Acceptable uses for "associated with" or "associated to"
Why are there two pronunciations for "either"?