It's really not idempotent. And also it will spam the CSRF token into
the URL, which isn't what we want.
<h2>Log out of Chopwood</h2>
<h2>Log out of Chopwood</h2>
-<form method=GET action="~={script}H/logout">
+<form method=POST action="~={script}H/logout">
<button type=submit>Log out</button>
<input type=hidden name=%user value="~={user}H">
<input type=hidden name=%nonce value="~={nonce}H">
<button type=submit>Log out</button>
<input type=hidden name=%user value="~={user}H">
<input type=hidden name=%nonce value="~={nonce}H">