HTTP RESTful Webservice Logout: Which is correct or better practice - POST or DELETE?

Question

As stated by the accepted answer in Which HTTP method should Login and Logout Actions use in a "RESTful" setup it is recommendable to use HTTP POST (= create) for a login in a RESTful webservice (e.g. /webservice/login/). POST is neither idempotent nor safe (http://restcookbook.com/HTTP%20Methods/idempotency/).

However how about a logout (e.g. /webservice/logout/). Shall I use POST or DELETE?

DELETE is idempotent - no matter if a session (or whatever) exists on the server or not it is deleted and the answer from the webserver is some OK without any further contents. This feels somehow natural to me.

POST is not idempotent and some posters on similar questions recommend POST for a REST logout. I can think of two possible reasons:

1. if the session does not exist the server may return a 404 - an successful answer otherwise (two kinds of answer)

2. a logout may trigger e.g. a database update containing logout information for a user etc. and therefore a logout operation would not be idempotent

So which HTTP Method would be better for a logout - POST or DELETE?

Answer 1

Generally your webserver should neither have a session or a logout feature. A REST service should be stateless and authentication information sent along with every request.

However, if you are authenticating the user with some token, and you want to explicitly tell the server to expire the token, and you want to express this in a RESTful manner, it would make sense to me that:

• Your tokens are represented in urls like /sessions/[id]
• You issue a DELETE on that url

It does not make sense to me that you have a url like /webservice/logout/ that you delete.

Issuing a POST request with some information to issue a 'logout' action is a sensible HTTP API design approach, but it's not REST.