What method should I use for a login (authentication) request?

login logout http-method
greg0ire picture greg0ire · May 3, 2011 · Viewed 79.8k times · Source

I would like to know which http method I should use when doing a login request, and why? Since this request creates an object (a user session) on the server, I think it should be POST, what do you think? But since the login request should be idempotent, it could be PUT, couldn't it?

Same question for a logout request, should I use the DELETE method?

Answer

planetjones picture planetjones · May 3, 2011

If your login request is via a user supplying a username and password then a POST is preferable, as details will be sent in the HTTP messages body rather than the URL. Although it will still be sent plain text, unless you're encrypting via https.

The HTTP DELETE method is a request to delete something on the server. I don't think that DELETING an in memory user session is really what it's intended; more it's for deleting the user record itself. So potentially logout can be just a GET e.g. www.yoursite.com/logout.

Related questions

PHP Session Destroy on Log Out Button

I'm currently working on a site that has a log-in (username and password) - The password protection is done by the operating system within the web server at folder level called a Realm within the OS. For now this will …

Read More
django rest framework - token authentication logout

I have implemented the Token Authentication according to the django rest framework Docs. Form what I read, the Token Authentication of DRF is quite simple - one token per user, the token doesn't expire and is valid for use always (…

Read More
Why can't I logout on django user auth?

I am using the django.contrib.auth user management system. So I got the registration/insert into the user table/model up and the login from django.contrib.auth.views.login up so I can log in. However, I can't …

Read More