docs(examples): with-iron-session logout must be called via POST (#22240)
1. Logout is better called in a POST request (avoids caching in most situations + avoids weird CSRF "logout attacks", i.e. can't be logged out by clicking on an email link) 2. We should wait for logout to complete before mutating the user, otherwise some weird race conditions might prevent swr to catch the right logged out state
This commit is contained in:
parent
1f5f0d313a
commit
84e47b82a5
1 changed files with 4 additions and 1 deletions
|
@ -43,7 +43,10 @@ const Header = () => {
|
|||
href="/api/logout"
|
||||
onClick={async (e) => {
|
||||
e.preventDefault()
|
||||
await mutateUser(fetchJson('/api/logout'))
|
||||
mutateUser(
|
||||
await fetchJson('/api/logout', { method: 'POST' }),
|
||||
false
|
||||
)
|
||||
router.push('/login')
|
||||
}}
|
||||
>
|
||||
|
|
Loading…
Reference in a new issue