2 Comments

There was one removal kind of deep in the list that might catch some folks off guard, especially those who (like me) haven't been following Django's evolution closely and who simply linked to the built-in LogoutView to log out users:

"Support for logging out via GET requests in the django.contrib.auth.views.LogoutView and django.contrib.auth.views.logout_then_login() is removed. "

Expand full comment
author

Yes, that's a good one to call out!

I remember reading about this when I was updating the Django project for Python Crash Course. Basically, it's better to use a POST request for logging users out. If logout is implemented through a simple GET request (ie a standard link), it's easier for attackers to force a logout.

The update for this is to convert the logout link to an empty form, which can be styled to look just like a standard link. See the release notes for 4.1, when this was deprecated: https://docs.djangoproject.com/en/5.0/releases/4.1/#log-out-via-get

Expand full comment