Use GET for search forms, not POST.

Now that we use global CSRF authenticity checks, searches were logging
logged-in users out as the form is an HTML form, not a Rails-generated
form with a CSRF token. So form submission raised an InvalidAuthenticityToken
error and reset their session.  We could generate the form in Rails, but we
also want to minimise the number of non-logged in people who have a
session cookie, so that varnish can cache pages extensively. So we don't
want to put the CSRF token for the search form in everyone's session.

0 files changed, 0 insertions, 0 deletions