Description
Some links that create GET requests have side effects that may destroy data when a user is using a web accelerator that prefetch every link on a page. Such web accelerator is correct according to the HTTP spec.
Steps to reproduce
Install Google web accelerator and visit your favorite wiki as registered user.
Example
Here are some broken links found on this wiki:
http://moinmoin.wikiwikiweb.de/FooBar?action=logout&logout=logout - the logout link on any page.
del - the delete attachment link in the version history page.
http://moinmoin.wikiwikiweb.de/FooBar?action=revert&rev=197 - the revert link on version history page
http://moinmoin.wikiwikiweb.de/FooBar?action=subscribe - subscribe/unsubscribe link on any page
http://moinmoin.wikiwikiweb.de/FooBar?action=quicklink - add/remove quick link on any page
del - the delete attachment link on the attachments page
Details
Any MoinMoin version.
Workaround
Hope that your wiki users does not use web accelerator.
Discussion
http://www.37signals.com/svn/archives2/the_google_web_accelerator_is_back_with_a_vengeance.php - DHH of 37 Signals complain about Google Web Accelerator after he failed to use side effect free GET 
Its possible to design a robot that will log in as a user, then fetch all the revert and del links in the wiki. Such robot working slowly during night may cause lot of mess
Fix: any action that have any side effects should use form with POST method.
- login/logout
- change user setting - add links, subscribe etc.
Looks like we can't have everything in that case:
- The logout stuff at top of page use to be a POST form. Users disliked that because browsers rendered that item differently from the GET links nearby. It was also requested, that login should be an action that can be bookmarked (thus a GET). Another question is whether a web "accelerator" shouldn't rather fetch the links declared instead of everything it can find. Looks rather like a dDOS and annoyance tool if it really works the way as you describe it.
People don't need to bookmark logout
The easiest solution is to have the logout POST button on a second page. One click more, less problems. -- AlexanderSchremmer 2006-04-06 22:01:57
Plan
- Priority:
- Assigned to:
- Status: