Curious how others here would represent these in a REST architecture.
/users/login/ /users/logout/ These endpoints set up the session to login in the user, or clear it, respectively. My gut says POST, but I'm not in fact creating an object.
- 2See also: stackoverflow.com/q/2001773/165674Dheeraj Vepakomma– Dheeraj Vepakomma2013-11-05 05:32:24 +00:00Commented Nov 5, 2013 at 5:32
- For logout, it is discussed in length at stackoverflow.com/q/3521290/873282 (with the same result)koppor– koppor2017-02-19 23:54:38 +00:00Commented Feb 19, 2017 at 23:54
- 1Possible duplicate of Logout: GET or POST?Elias Zamaria– Elias Zamaria2017-09-13 16:34:16 +00:00Commented Sep 13, 2017 at 16:34
- POST doesn't have to create a new resource. It just sends data to the server. What the server does with this data is up to the server.Ron Inbar– Ron Inbar2020-12-24 15:51:56 +00:00Commented Dec 24, 2020 at 15:51
Add a comment |
3 Answers
You should use POST - using GET for these actions can lead to issues with browser prefetching and search engine spidering. See (1, 2)
2 Comments
technology_dreamer
Concise, it was not necessary to make a research on it. Thanks
undefined
Yes,
POST sounds like the most rational option for a logout request and is what I would consider by default, however, doesn't POST mean "create"? What form-data would you be sending for a logout request with POST? A DELETE request would hardly be suitable either unless you have something like DELETE /session/{id}. PUT would mean we're replacing something, so that's out of the question. What are your thoughts on PATCH?Use POST.
Logout changes the state on the server (e.g., destroying a session, invalidating a token), so it should not be GET. POST is used for operations that cause side effects and are not idempotent — which logout usually is. It's semantically correct for actions like logout that do not delete a resource, but still trigger a state change.
Comments
maybe CONNECT? MDN says:
The HTTP CONNECT method starts two-way communications with the requested resource. It can be used to open a tunnel.
as login means maintaining a session between browser and server, CONNECT method makes the most sense.
