Обсуждение: Unable to log out of postgresql.org
Hi all,
I seem unable to log out of postgresql.org. I have tried in multiple browsers and have received the same error each time.
To reproduce:
- Log in to https://www.postgresql.org
- Navigate to the account page https://www.postgresql.org/account/
- Click `Logout` on the lefthand nav bar
- The browser network tab shows a `GET` request to https://www.postgresql.org/account/logout/, which returns a 405.
The expected result is, of course, to be logged out, yet after the 405 I find I am still logged in. I can manually clear cookies to force a logout.
I do see this in the response header, which leads me to believe the logout call should be a POST, not a GET:
> allow: POST, OPTIONS
Jack
> On 19 Mar 2026, at 23:15, Jack Bonatakis <jack@bonatak.is> wrote: > I seem unable to log out of postgresql.org. I have tried in multiple browsers and have received the same error each time. I can reproduce that as well. -- Daniel Gustafsson
Hi Daniel,
Thanks for confirming. I took a look at the repo and have a fix that works locally. Please see the attached patch.
Jack
On Thu, Mar 19, 2026, at 6:21 PM, Daniel Gustafsson wrote:
> On 19 Mar 2026, at 23:15, Jack Bonatakis <jack@bonatak.is> wrote:> I seem unable to log out of postgresql.org. I have tried in multiple browsers and have received the same error each time.I can reproduce that as well.--Daniel Gustafsson
Вложения
Nice spot.
However, this fix won't work. Putting a csrf token on every page is incompatible with the caching system we have in place.
One way to fix it would be to just allow logout GET again (I think this got broken on a django upgrade where it wasn't tested). But maybe the better way to fix it would be to have the logout link go to a page with a POST form on it, and have that form do what the GET link does now. I assume the GET is blocked because otherwise someone could trick a user, or redirect them, to the logout URL and they get logged out. I'm not sure how realistic or how big of a problem that is, but getting rid of it would not hurt...
Would you be interested in working on a patch for that as well?
//Magnus
On Fri, 20 Mar 2026 at 00:49, Jack Bonatakis <jack@bonatak.is> wrote:
Hi Daniel,Thanks for confirming. I took a look at the repo and have a fix that works locally. Please see the attached patch.JackOn Thu, Mar 19, 2026, at 6:21 PM, Daniel Gustafsson wrote:> On 19 Mar 2026, at 23:15, Jack Bonatakis <jack@bonatak.is> wrote:> I seem unable to log out of postgresql.org. I have tried in multiple browsers and have received the same error each time.I can reproduce that as well.--Daniel Gustafsson
On Fri, Mar 20, 2026, at 2:26 PM, Magnus Hagander wrote:
Nice spot.However, this fix won't work. Putting a csrf token on every page is incompatible with the caching system we have in place.One way to fix it would be to just allow logout GET again (I think this got broken on a django upgrade where it wasn't tested). But maybe the better way to fix it would be to have the logout link go to a page with a POST form on it, and have that form do what the GET link does now. I assume the GET is blocked because otherwise someone could trick a user, or redirect them, to the logout URL and they get logged out. I'm not sure how realistic or how big of a problem that is, but getting rid of it would not hurt...Would you be interested in working on a patch for that as well?//Magnus
Ah interesting. Yeah, it looks to be a change new with Django 5. I'll have to take a closer look at the existing caching system, but yes I'd be happy to work on an alternative to my patch above. Your proposal seems reasonable and might be the way to go.
Jack
Okay I think this one will work better. I went with your suggestion of a separate log out page. Note that I added an explicit `@never_cache` decorator since the response headers showed Django wasn't setting Cache-Control automatically.
Jack