Hacker News new | comments | ask | show | jobs | submit login

On one hand, I do agree that it is very annoying. However, I can kind of understand.

There may be a way around this, but if no session was required, then couldn't someone just make a bunch of GET requests to the unsubscribe url for each user id and unsubscribe the entire user base?

Well, I think most professional developers would use a GUID for each user anyway. Good luck bruteforcing that.

Yes, this is a solved problem.

Just use CSRF tokens.

Yeah, I don't know why I didn't think of that. In that case, there really isn't any justification.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact