Solved How important it is to log out from a website vs clearing history?

Solved issue
try these sites:

if someone wants to track your visits there are way to make it happen.
If I pay no attention to these old sessions an attacker could spy on my activity.
so an attacker can spy on your activity anyway, cookies or not.


But I think 2FA can also be evil, if you lose your phone or it gets stolen then you're doomed.
use yubikey.
2FA issues: not every site will work with 2FA. Also consider passkey option.
 


But here is what I can tell you from my research, some people are journalists who expose things which governments or various groups don't want to be published and so various groups will go after them to identify them and to deal with them.
Also activists do similar things.
This types of people even though doing nothing criminal or having no special secrets are easily targeted not by whom ever but by those who have contacts with ISP's or have various legal means to enforce their activities.
Yeah I've heard about that. I've heard that Tails and Tor seems to be a good solution for people in that situation. or a vpn depending on your threat level.

Think about that scenario, put your self into a position of these example folks and then believing won't be as hard.
Ofc. many different types of activities can attract someone to track you. (I'm not talking about tracking cookies but about targeting individuals for various reasons)
I know but you were talking about cookies and sessions before, you know turned a whole 180 degrees to security and threat levels etc. That's a whole different topic. If I were in someone else's shoes depending on what my threat level is would try and sort out what would be the best course of actions to take to minimize.

Of course you don't believe me, neither would I believe anyone saying such things.
There's probably some truth to it since you are staying consistent but I don't think you should be discussing such things on a public forum but ask a professional to advice you on this is it's really the case for you. At least not here, if I were to want advice on this specific topic I would go to a forum that has that as the main forum topic and that is not linux.org.
 
Yeah I've heard about that. I've heard that Tails and Tor seems to be a good solution for people in that situation. or a vpn depending on your threat level.
Yes true, they also use services such as RiseUp, but I don't belong to them and have no need for this, not exposing anything harmful nor I'm journalist nor seeking to defame anyone or anything similar that would be worth it.

I know but you were talking about cookies and sessions before, you know turned a whole 180 degrees to security and threat levels etc.
It's just a precaution fueled by my habit to delete history instead of logging out of websites so was wondering if I need to change this, because everyone who uses computers likes to learn about online safety to some degree at least.
Session hijacking is IMO very potent tool for spying but I never learned much about it.

but I don't think you should be discussing such things on a public forum but ask a professional to advice you on this is it's really the case for you. At least not here, if I were to want advice on this specific topic I would go to a forum that has that as the main forum topic and that is not linux.org.
Yes you're right but there are really no secrets on my side nor any wrongdoings to really need to pay a pro to help me keep low level, but I'm fascinated by their methods, it helped me to learn more about possibilities on how they target someone.
Thanks for hint but I'm really not worried.
 
Yes you're right but there are really no secrets on my side nor any wrongdoings to really need to pay a pro to help me keep low level, but I'm fascinated by their methods, it helped me to learn more about possibilities on how they target someone.
Thanks for hint but I'm really not worried.
I see, it sounded more like you were in that type of situation as in how you were into this topic. I'm sure there are public forums where people know more about this topic if you were to want to know more on the topic.
 
I always log out of websites I belong to.

I always clear history after I log out of any website I have to login to.

Only history would be on the websites end which I have no control over.
 
Not to brag but some 15y ago I've been spying on my neighbor web activity because we were on same LAN and I was exploring Kali, I forgot how that program is called but I could see every website they visit including HTTPS like youtube and forums and then by visiting same site on my PC I could see what they post about and what they like.
Then there is also a program in Kali for HTTPS cookie hijacking but I never used it.
And scary thing is there is no defense against this, if you can do it on WLAN then ISP can do it on cable without any problems.

It really does not take a lot of skills to use the program but my point is that if a regular user can do this then session hijacking for someone who is doing it for money or working for ISP is even more easy to do.
And if they're corrupt employee and selling that info then you're screwed and no software is going to help you except to learn safe computing and most importantly not to share anything sensitive online no matter how well you think your system is secured.

That's the whole point of this thread, how to prevent it and to learn more about it.
Logging out of websites seems to be a good habit which I don't have.
 
protonmail doesn't support SMS
They sent me a couple of sms's with a code number to log in, during my short stay with them. i was setting up a trial account at the time
 
there is HTTP cookie hijacking, not HTTPS (https://ieeexplore.ieee.org/document/7546532). If you force HTTPS only session then you are protected, there are other ways to protect against this treat (changing session keys after authentication, session timeouts and so on).
Then there is also a program in Kali for HTTPS cookie hijacking but I never used it.
nope
unless you just discovered a weakness in HTTPS protocol (that is SSL/TSL)
 
In your WEB browsers there is the option to clear history as well as other items. I use Firefox and Chromium have them set to clear everything when the browsers are closed. This may be the answer for you.
Always,
Wildman
 
They sent me a couple of sms's with a code number to log in, during my short stay with them. i was setting up a trial account at the time
I registered my last account some 6yrs ago and phone number wasn't needed, it could be they ask for phone now not sure.

In your WEB browsers there is the option to clear history as well as other items. I use Firefox and Chromium have them set to clear everything when the browsers are closed. This may be the answer for you.
Always,
Wildman
Sorry but we already concluded clearing cookies doesn't clear login session, if your cookies are stolen and you clear them the stolen cookies can continue to be used to login unless login session is cleared as well. or unless cookies expire.

there is HTTP cookie hijacking, not HTTPS (https://ieeexplore.ieee.org/document/7546532). If you force HTTPS only session then you are protected, there are other ways to protect against this treat (changing session keys after authentication, session timeouts and so on).

nope
unless you just discovered a weakness in HTTPS protocol (that is SSL/TSL)
You're right, my mistake I was tired yesterday, it's not HTTPS cookie hijacking but SSL cert hijacking.
And problem with it is that the user will see it as security warning in their browser, so you rely on their ignorance.
 
This is what I'm talking about.
 

Attachments

  • Screenshot from 2024-07-07 02-13-05.png
    Screenshot from 2024-07-07 02-13-05.png
    150.5 KB · Views: 107
@wildman
Yes In understand, but clearing browser history won't clear stolen cookies (if they're stolen) and won't void sessions from web service that's the problem, you only clear locally.
 
You IMO should clear everything listed especially the cache.
Always,
Wildman
 
There is another app you might want to investigate and install it is DuckDuck Go Privacy Essentials. Also running a good add blocker is not a bad idea either.
Always,
Wildman
 
I always logout of every site and from time to time clean History and cookies.
1720403460142.gif
 
i think that both logging out and clearning cookies are a good habit. Accounts very often get "hacked" because they log in a shared/public computer and some just uses the account for malicous purposes (happened to me in college with a facebook account)
 
Since I installed CAD it automatically logout me off when I shut it down.
I better start cleaning history and cookies.
 
My understanding is that if you click on Log out, that cookie token is made redundant. So even if somebody elsewhere had it, the original website will not let them proceed on another click. One of you would have to click on log out for the other to lose access too.
Most sensitive sites like banking have timed sessions so if not active the user is automatically logged out after 10 minutes or so. And if they have at least 2FA,new payments should not pass without the additional authentication. That if every payment is conditioned by a new code.
 
One thing I do is use temporary numbers for logins, 2FAs. From the security point of view, it's more secure that using your own number: less likely to get hacked.
I use the numbers from AnonymSMS. I just rent one every month for like $20.
 
Last edited:

Members online


Top