asp.net mvc - MVC5 Web Application Scaffold - Account/Logoff - Why use HTTP Post? -

i trying head around mvc 5 web application template, , noticed special attention given security around logoff link.

in scaffold template "logoff" link in _loginpartial.cshtml view sits inside html form antiforgerytoken in it, , defined js call form's submit action, so:

@if (request.isauthenticated) {     using (html.beginform("logoff", "account", formmethod.post, new { id = "logoutform", @class = "navbar-right" }))     {     @html.antiforgerytoken()      <ul class="nav navbar-nav navbar-right">         <li>             @html.actionlink("hello " + user.identity.getusername() + "!", "index", "manage", routevalues: null, htmlattributes: new { title = "manage" })         </li>         <li><a href="javascript:document.getelementbyid('logoutform').submit()">log off</a></li>     </ul>     } } 

with corresponding action method account/logoff inside actioncontroller defined so:

        [httppost]         [validateantiforgerytoken]         public actionresult logoff()         {             authenticationmanager.signout();             return redirecttoaction("index", "home");         } 

my question - reasoning behind it? why logoff action require security protection? why not have in view,

@html.actionlink("hello " + user.identity.getusername() + "!", "index", "manage", routevalues: null, htmlattributes: new { title = "manage" }) @html.actionlink("log off", "logoff", "account", routevalues: null, htmlattributes: new { title = "logoff" }) 

and in controller:

 public actionresult logoff()         {             authenticationmanager.signout();             return redirecttoaction("index", "home");         } 

what security hole create?

thanks.

please refer link: logout: or post?.

it answer question on why post should used in logout.