Solved How important it is to log out from a website vs clearing history?

[CaffeineAddict]

If we log out from a website then that login session is gone and we need to login again.
On another side you can clear browser history and then need to login again to a website.

Both methods result in same outcome which is that you need to login again, but there is one thing that's not quite the same...
I noticed on various websites they keep your login sessions, so if you never log out but simply clear browser history then you may end up with multiple active login sessions while you're in fact using just one, normally the most recent one.

You can manage those old surplus sessions by "forgetting" them in your account settings on a website.

I almost never log out from any website but simply delete history, but what started to poke me is that those surplus old sessions might have been hijacked, ex. cookie hijacking, and in that case 2 or more sessions would be active, one by you and another one by an attacker.
If I pay no attention to these old sessions an attacker could spy on my activity.
Also if I don't use the website there may be someone else using it in my name and impersonating me without me knowing it.

Now this is only a theory that I think is possible but I'm not sure how realistic it is, and the question is should we always log out from websites for added safety vs simply deleting history?
Also it's hard to keep track sometimes if you login to many websites, and also not all websites give you options to manage stale sessions.

What do you have to say about this?
And how do you manage you website logins?

 

[Terminal Velocity]

For someone to steal your cookie has to have access to your hard drive and moreover your browser stores the cookies encrypted in a data base file. Unless someone can run your browser remotely I don't think they can steal your cookie and if that's the case this is the least you should worry about

 

[f33dm3bits]

I recently started using a Firefox add-on to automatically delete the cookies of all the websites I access,with exception of a few I have whitelisted. Maybe you will find it useful too?

Cookie AutoDelete – Get this Extension for Firefox (en-US)

Download Cookie AutoDelete for Firefox. Control your cookies! This WebExtension is inspired by Self Destructing Cookies. When a tab closes, any cookies not being used are automatically deleted. Keep the ones you trust (forever/until restart) while deleting the rest. Containers Supported

addons.mozilla.org

 

[Terminal Velocity]

I recently started using a Firefox add-on to automatically delete the cookies of all the websites I access,with exception of a few I have whitelisted. Maybe you will find it useful too?

Cookie AutoDelete – Get this Extension for Firefox (en-US)

Download Cookie AutoDelete for Firefox. Control your cookies! This WebExtension is inspired by Self Destructing Cookies. When a tab closes, any cookies not being used are automatically deleted. Keep the ones you trust (forever/until restart) while deleting the rest. Containers Supported

addons.mozilla.org

That doesn't log you out of the sites?

 

[CaffeineAddict]

I recently started using a Firefox add-on to automatically delete the cookies of all the websites I access,with exception of a few I have whitelisted. Maybe you will find it useful too?

Cookie AutoDelete – Get this Extension for Firefox (en-US)

Download Cookie AutoDelete for Firefox. Control your cookies! This WebExtension is inspired by Self Destructing Cookies. When a tab closes, any cookies not being used are automatically deleted. Keep the ones you trust (forever/until restart) while deleting the rest. Containers Supported

addons.mozilla.org

I'm already using CAD, but this doesn't solve the problem, deleting cookies is the same thing as clearing history, it doesn't log you out from websites.

For someone to steal your cookie has to have access to your hard drive and moreover your browser stores the cookies encrypted in a data base file. Unless someone can run your browser remotely I don't think they can steal your cookie and if that's the case this is the least you should worry about

Didn't know cookies are encrypted, but I think if you're logged in to your account on computer then they're decrypted.
I don't think session hijacking is so hard, I'm talking about malware which would steal your cookies while you're running web browser and send them to haxor's server.

 

[f33dm3bits]

That doesn't log you out of the sites?

It logs me out of all the ones I don't have whitelisted, so ones that I made an exception for. For everything else it deletes the cookies.

 

[f33dm3bits]

I'm already using CAD, but this doesn't solve the problem, deleting cookies is the same thing as clearing history, it doesn't log you out from websites.

When I login into a website that I don't have whitelisted and I close my browser and then open my browser again. Then go to that same page I am not logged into that website anymore.

 

[CaffeineAddict]

It logs me out of all the ones I don't have whitelisted, so ones that I made an exception for. For everything else it deletes the cookies.

To log out from a website you need to click on "log out" button on a website.
There is no universal or automated way of doing this, it requires a user to log out.

When I login into a website that I don't have whitelisted and I close my browser and that open it again. Then go to that same page I am not logged into that website anymore.

Yes because cookies are deleted but your session is still active.
You can test this on sites that support managing sessions such as github or protomail.

 

[f33dm3bits]

To log out from a website you need to click on "log out" button on a website.
There is no universal or automated way of doing this, it requires a user to log out.

No, when my cookies are cleared for a website, the login is gone too. I just tested it out for a shopping website I use. I logged into that shopping website, I closed my browser, I then opened my browser again and go to that same shopping website and then I have to login again because I am logged out. I tested it for several websites, the only ones that stay logged in are the ones which I have whitelisted to keep the cookies of.

 

[CaffeineAddict]

I then opened my browser again and go to that same shopping website and then I have to login again because I am logged out

It's not so simple, if you give me your cookies and log out you'll need to login but I'll still be able to exploit your cookies to access your account without you needing to log-in.
And even if you log in I'll still be able to login to your account, there will be 2 sessions active, most sites work like this and don't auto delete your sessions.

Screenshot below is from my protonmail dashboard (my current login), currently there is only one session because I manually deleted other stale sessions, but they were there and usable by potential attackers from the past:

 

[f33dm3bits]

It's not so simple, if you give me your cookies and log out you'll need to login but I'll still be able to exploit your cookies to access your account without you needing to log-in.

I went searching around and I see what you mean now. For the problem you are referring to two-factor authentication(2FA) was created as an extra security measure or you can use a private browser session if you don't want login session to be stored. I would assume you have 2FA enabled for something like your Proton account...?

 

[CaffeineAddict]

I went searching around and I see what you mean now. For the problem you are referring to two-factor authentication(2FA) was created as an extra security measure or you can use a private browser session if you don't want login session to be stored. I would assume you have 2FA enabled for something like your Proton account...?

Now I understand why 2FA is so important!

No I don't have it for protonmail because I prefer SMS for authentication over authenticator apps (protonmail doesn't support SMS authentication) but I have it set for github and few other accounts.

So can we conclude that manual log out from a website is must do instead of simply clearing cookies? (if not using 2FA)

 

[f33dm3bits]

No I don't have it for protonmail because I prefer SMS for authentication over authenticator apps but I have it set for github and few other accounts.

Why?

So can we conclude that manual log out from a website is must do instead of simply clearing cookies? (if not using 2FA)

Yes

 

[CaffeineAddict]

Why?

Sorry I edited my post, it's because protonmail doesn't support SMS, and authenticator apps, well I hate mobile phones lol
Maybe I'll reconsider.

 

[f33dm3bits]

t's because protonmail doesn't support SMS, and authenticator apps,

I understand why they don't support SMS, most likely because of privacy but I find quite odd that they don't support 2FA apps being as big as they are.

 

[CaffeineAddict]

I understand why they don't support SMS, most likely because of privacy but I find quite odd that they don't support 2FA apps being as big as they are.

They allow recovery by phone and by backup file, which is solid in case your account is hacked or password lost.
But I think 2FA can also be evil, if you lose your phone or it gets stolen then you're doomed.

I think recovery by backup codes or backup file is the best security wise because you can hide your codes ex. in a safe, but you can't hide your phone, your phone is always with you.

But then another thing popped out in my mind, I'm not sure how 2FA can prevent session hijacking, once you authorize login with 2FA your cookies can still be stolen and reused?

 

[f33dm3bits]

They allow recovery by phone and by backup file, which is solid in case your account is hacked or password lost.
But I think 2FA can also be evil, if you lose your phone or it gets stolen then you're doomed.

You can generate backup codes in case you lose access to you 2FA device.

But then another thing popped out in my mind, I'm not sure how 2FA can prevent session hijacking, once you authorize login with 2FA your cookies can still be stolen and reused?

Do you have access to government secrets or information or are you living in China or are you a Linus Tech Tips employee. If none of those you are over thinking it, yes it can happen but it's more likely you are not interesting enough for someone to specifically target you for that.

 

[CaffeineAddict]

Do you have access to government secrets or information or are you living in China or are you a Linus Tech Tips employee. If none of those you are over thinking it, yes it can happen but it's more likely you are not interesting enough for someone to specifically target you for that.

It's so secret I can't tell you

But I'm not worried, I keep the stuff in my head not on HDD, but the feeling of being tracked for the purpose of info gathering is not pleasant so I want to keep access to my virtual life as private as possible.

You can generate backup codes in case you lose access to you 2FA device.

Yes but the point here is to prevent stealing cookies.
I have no issue with recovering my account in case it's lost.

 

[f33dm3bits]

But I'm not worried, I keep the stuff in my head not on HDD, but the feeling of being tracked for the purpose of info gathering is not pleasant so I want to keep access to my virtual life as private as possible.

Tracking cookies are deleted when you clear your browsers cookies and data, you were talking about login sessions before. If you are worried about someone stealing your login session to see what your access for certain websites? Unless you were specifically targeted if you were to be important enough or have access to some important information I would not worry about it.

It's so secret I can't tell you

I have a hard time believing you because people that have secret jobs don't tend to tell other strangers on the internet and people that have access to secret information usually get security protocols they have to follow and do when it comes to how they work and what type of devices they use. Since you are asking about this on a public forum I have a hard time believing you and on top of that people that actually need help with security and privacy for their job usually have professionals they can fall back on. I'm not speaking from experience but from what I have read and read how it goes for politicians.

 

[CaffeineAddict]

I have a hard time believing you because people that have secret jobs don't tend to tell other strangers on the internet and people that have access to secret information usually get security protocols they have to follow and do when it comes to how they work and what type of devices they use. Since you are asking about this on a public forum I have a hard time believing you and on top of that people that actually need help with security and privacy for their job usually have professionals they can fall back on. I'm not speaking from experience but from what I have read and read how it goes for politicians.

I have already shared some info accidentally on various forums online, and the dudes who are after me already know I'm aware of their activities so that part is not really a secret.
The funny thing is that they believe I have some super secrets while in fact I have none that would be useful for them to waste their time lol

Of course you don't believe me, neither would I believe anyone saying such things.

But here is what I can tell you from my research, some people are journalists who expose things which governments or various groups don't want to be published and so various groups will go after them to identify them and to deal with them.
Also activists do similar things.
This types of people even though doing nothing criminal or having no special secrets are easily targeted not by whom ever but by those who have contacts with ISP's or have various legal means to enforce their activities.

Think about that scenario, put your self into a position of these example folks and then believing won't be as hard.
Ofc. many different types of activities can attract someone to track you. (I'm not talking about tracking cookies but about targeting individuals for various reasons)