Every web site you use which has account and login capabilities has a log out function (if not, it is a poorly designed site) which you may or may not use. So for the purposes of this tip, I want to share why not logging out when you are done can be dangerous. Please keep in mind, this is just one possible exploitation and it depends on the way the site you are using is designed as to whether or not it is applicable. I’m going to try to keep it simple, so here goes…
Some sites like to embed what’s called a session ID into the URL when you are logged into their site. Typically you can tell because there will be a long random string of characters in your address bar. The session ID provides a medium for your browser and the site’s server to communicate back and forth. Now, if you navigate away from this site directly, the site you navigate to can capture the URL you can from (which includes your session ID) as the referring URL and record this in their log files. As a result, the new site now has your session ID information and can access the old site as you (again, depending on how the site is designed).
If you log out of the web site, this (should at least) closes your session. This is why you get a lot of notices from banking sites asking you to immediately close your browser.
Again, this is just one possible exploit and it depends entirely on how the site is designed but it does go to show you what can happen even when you are trying to be cautious online.
Jason Faulkner is the man who brings you our daily tips. He is based in Atlanta, Georgia.
PJWolf said:
10/9/2008 4:53 pm
A good tip if you on a public PC, however this tip defies the point if your on your own PC and only you have access to your own PC.
Because who gonna take over from your PC after you used when there no one else UNLESS you don’t trust your wife/husband/girlfriendboyfriend!!!! Then yes this tips can come into effects!
Just my thought on this.
[Reply]
Jason Faulkner reply on October 9, 2008 5:06 pm:
Actually, this applies to any PC, regardless. If your session ID is in a URL and you navigate to another site, the new site can capture your previous URL as the ‘referrer’.
This can happen on any computer no matter how secure because it is done through the browser.
[Reply]
LuisR said:
10/9/2008 6:49 pm
The referrer URL is only transmitted to the other site if you click on a link from the original site. If you type a URL in the address bar or if you select a site from your favorites list, the referrer is not sent to the next site. The is no referral in both cases. Only when you click on a link.
[Reply]
Joan Aaronsen said:
10/12/2008 8:42 pm
Thanks a lot for this heads-up. I have never thought that this could happen, but i knew the session ids was stored. Just didn’t think another site could sniff them up. We are more vulnerable than we think:(
[Reply]