Notifications
Sign Up Sign In
Q&A

Following the "sign out" into a new tab results in 404 Not Found

+1
−0

I'm honestly not sure what is going on here.

Once I'm logged in to a Codidact site, if I click "sign out" in the top right corner of each page, I get signed out -- which is exactly what you'd expect.

However, if I follow that link such that it's opened in another tab -- Ctrl+click, middle-click, right-click then "open in new tab" -- what happens is that I get a 404 Not Found error message back.

The URL then shown by the browser looks perfectly sane in that case; https://somethingsomethingoranother.codidact.com/users/sign_out (which is the same as the link target).

If I go back to the original tab, and simply click the exact same "sign out" there, then I get logged out just fine.

This is with Firefox 68.9 ESR. Thinking that this was somehow related to too-strict privacy controls, I tried setting uMatrix to allow everything globally, but even then I got the same error message.

It's a slight annoyance because I sometimes like to leave posts up for reference, but want to sign out of my account. The standard way to do that for me is to just middle-click "sign out" to sign out in a separate tab, leaving the others untouched; but in this case, that doesn't work, so I have to open a new tab to somewhere on the site, then sign out in that one.

Why should this post be closed?

0 comments

1 answer

+2
−0

This is [status-bydesign] for security reasons.

The sign out request uses an HTTP DELETE request to avoid an attack called CSRF. Clicking a link, by default, uses a GET request. The library that handles our user authentication works some JS magic to capture your click and send the correct DELETE instead, but middle-click or otherwise opening in a new tab can only ever use a GET request, which won't work.

As a workaround, you can instead open any page in a new tab - middle-click the logo, for example - and then sign out in that tab.

3 comments

Fair enough, but then I would argue that the response shouldn't be 404 Not Found, but rather 405 Method Not Allowed. After all, the requested resource exists at the URL in question; it just doesn't support GET specifically. aCVn about 1 month ago

I'll see if that's practical to do, @aCVn ArtOfCode about 1 month ago

Another solution I found, was to show a GET page "Do you really want to sign out? [some comment about showing this page for security reasons] and then a sign out button sending the request on click". luap42 about 1 month ago

Sign up to answer this question »