On one hand, I do agree that it is very annoying. However, I can kind of underst... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		bilalq on Nov 9, 2013 \| parent \| context \| favorite \| on: Hey developers, stop forcing me to login to unsubs... On one hand, I do agree that it is very annoying. However, I can kind of understand. There may be a way around this, but if no session was required, then couldn't someone just make a bunch of GET requests to the unsubscribe url for each user id and unsubscribe the entire user base?

Avalaxy on Nov 9, 2013 | [–]

Well, I think most professional developers would use a GUID for each user anyway. Good luck bruteforcing that.

rhizome on Nov 9, 2013 | | [–]

Yes, this is a solved problem.

InclinedPlane on Nov 9, 2013 | [–]

Just use CSRF tokens.

bilalq on Nov 10, 2013 | [–]

Yeah, I don't know why I didn't think of that. In that case, there really isn't any justification.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact