Why use an MVC post to log out?

Question

In the Visual Studio OOB forms based authentication example for MVC, a postback is used when the user logs out,

@using (Html.BeginForm("LogOff", "Account", FormMethod.Post, new { id = "logoutForm" })) {
            @Html.AntiForgeryToken()
            <a href="javascript:document.getElementById('logoutForm').submit()">Log off</a>
        }

Is there a reason why this isn't regular GET since no data is being sent back to the server?

Answer 1

A logout operation is not idempotent so it's good to use POST.

GET should only be used to retrieve resources. A logout is an operation and doesn't return a specific resource.

GET requests can also be cached, remain in the browser history and can be bookmarked. Some useless functionalities for a logout.