Hacker News new | comments | ask | show | jobs | submit login

On one hand, I do agree that it is very annoying. However, I can kind of understand.

There may be a way around this, but if no session was required, then couldn't someone just make a bunch of GET requests to the unsubscribe url for each user id and unsubscribe the entire user base?




Well, I think most professional developers would use a GUID for each user anyway. Good luck bruteforcing that.


Yes, this is a solved problem.


Just use CSRF tokens.


Yeah, I don't know why I didn't think of that. In that case, there really isn't any justification.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: