102

I would like to know which http method I should use when doing a login request, and why? Since this request creates an object (a user session) on the server, I think it should be POST, what do you think? But since the login request should be idempotent, it could be PUT, couldn't it?

Same question for a logout request, should I use the DELETE method?

Dave Jarvis
  • 28,853
  • 37
  • 164
  • 291
greg0ire
  • 21,120
  • 15
  • 68
  • 95

6 Answers6

83

If your login request is via a user supplying a username and password then a POST is preferable, as details will be sent in the HTTP messages body rather than the URL. Although it will still be sent plain text, unless you're encrypting via https.

The HTTP DELETE method is a request to delete something on the server. I don't think that DELETING an in memory user session is really what it's intended; more it's for deleting the user record itself. So potentially logout can be just a GET e.g. www.yoursite.com/logout.

planetjones
  • 11,699
  • 3
  • 47
  • 51
  • 2
    Regarding the login request, I added something to my question saying it could be PUT, I was not hesitating with GET. +1 for the detailed answer – greg0ire May 03 '11 at 11:39
  • 2
    ok - PUT is really creating something on the server I think. So in a RESTful sense I guess that's what you COULD use if creating a new user. And the user should be created at the URL you specify. However, for something which is really transient like a http session, then I would login in via POST. – planetjones May 03 '11 at 11:43
  • I think the fact that the http session is transient makes your point. I'm going to do as you said, thanks. – greg0ire May 03 '11 at 11:49
  • 18
    I disagree that LOGOUT should be GET because simply by sending a user email with image tag that has it's src attribute as "www.yoursite.com/logout" will log that user out. – Vytautas Butkus Feb 21 '14 at 11:29
  • 2
    GET doesn't make much sense. Another input on this can be found here: http://stackoverflow.com/questions/3521290/logout-get-or-post – thasmo Feb 18 '15 at 22:04
  • Please never use GET request for doing *important* actions such as logout. A page preloader for example would log the user out. A spider also (but not so relevant for this). – Francisco Presencia Aug 20 '16 at 04:07
  • Could you not say that logout is in fact deleting cookies and just navigating to a placeholder, or the login screen again. Therefore no REST call is needed. I know some SSO servers require you to do a GET on a particular link, but that would be provided by the SSO server itself. – PeterS Mar 27 '17 at 14:04
  • I agree with @planetjones. Both signup and login are idempotent operations in my opinion and PUT seems to be an appropriate method (If your payload for both signup and login is same) – apnerve Jun 03 '20 at 09:47
45

I believe that you can translate LOGIN & LOGOUT methods into basic CRUD operations CREATE & DELETE. Since you are creating a new resource called SESSION and destroying it when logging out:

  1. POST /login - creates session
  2. DELETE /logout - destroys session

I would never do LOGOUT as GET just because anyone could make an attack just simply by sending an email with IMG tag or link to website where such an IMG tag exists. (<img src="youtsite.com/logout" />)

P.S. Long time I was wondering how would you create a RESTful login/logout and it turned out it's really simple, you do it just like I described: use /session/ endpoint with CREATE and DELETE methods and you are fine. You could also use UPDATE if you want to update session in one way or another...

Vytautas Butkus
  • 4,895
  • 6
  • 26
  • 45
  • 4
    It is almost as easy to do a DELETE request as a GET request with modern browser tools, some of which are available right in the browser, like issuing an XHR request directly from the browser console. Still upvoted because you talked about semantics, which is also important, as well as database. – trysis Jan 28 '16 at 15:09
10

Here is my solution based on REST guides and recommendations:

LOGIN - create a resource

Request:

POST => https://example.com/sessions/

BODY => {'login': 'login@example.com', 'password': '123456'}

Response: 

http status code 201 (Created)

{'token': '761b69db-ace4-49cd-84cb-4550be231e8f'}

LOGOUT - delete a resource

Request:

DELETE => https://example.com/sessions/761b69db-ace4-49cd-84cb-4550be231e8f/

Response: 

http status code 204 (No Content)
Ty Mick
  • 65
  • 1
  • 6
Ali Mamedov
  • 4,436
  • 3
  • 27
  • 39
6

For login request we should use POST method. Because our login data is secure which needs security. When use POST method the data is sent to server in a bundle. But in GET method data is sent to the server followed by the url like append with url request which will be seen to everyone.

So For secure authentication and authorization process we should use POST method.

I hope this solution will help you.

Thanks

Aman Goyal
  • 291
  • 4
  • 6
4

Regarding the method for logging out:

In the Spring (Java Framework) documentation, they state that a POST request is preferred, since a GET makes you vulnerable to CSRF (Cross-Site Request Forgery) and the user could be logged out.

Adding CSRF will update the LogoutFilter to only use HTTP POST. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users.

See: https://docs.spring.io/spring-security/site/docs/current/reference/html/web-app-security.html#csrf-logout

Logging in should also use POST (body can be encrypted, see the other answers).

byxor
  • 4,720
  • 4
  • 25
  • 39
DrunkenPope
  • 494
  • 9
  • 18
0

For Login I use POST, below is my code for LOGIN method I used Nodejs with Express and Mongoose 

your router.js
     const express = require("express");
     const router = express.Router();

     router.post("/login", login);

your controller.js
     export.login = async(req, res) => {
         //find the user based on email
         const {email, password} = req.body; 

           try{
                const user =  awaitUser.findOne({email});
                if(user==null) 
                 return res.status(400).json({err : "User with 
                         email doesnot exists.Please signup"});
          }
           catch(error){
                 return res.status(500).json({err : 
                                     error.message});
               }

         //IF EVERYTHING GOES FINE, ASSIGN YOUR TOKEN
          make sure you have JWT installed 
         const token = jwt.sign({_id: user._id}, YOUR_SECRET_KEY);

         res.cookie('t');

         const {_id, name, email} = user;
         return res.json({token, user : {_id, email, name}});



     }
xSachinx
  • 57
  • 3