
Ask HN: How does Quora auto login work? - starbucksswa
The website automatically logins to my account without entering mail address and password. How does this work even though after restarting router, clearing cache &amp; cookies of browser?
======
mickronome
Don't know, I do however have a problem with Quora that is probably related to
whatever way they achieve their auto login. I have an Quora account, but at
some point in time I accidentally clicked register instead of login, and now
I'm permanently stuck in the registration process. Can't login, and the
registration is impossible to complete, at least the last time I tried.

Yeah and I tried to clear everything I could, but no dice.

------
Terribledactyl
Does it work when you switch between browsers and do you happen to be on OS X?
Something might live on in keychain/cloud whatever.

They could potentially be using something based on this,
[https://panopticlick.eff.org](https://panopticlick.eff.org)

------
vmorgulis
May be with an ETag:

[https://en.wikipedia.org/wiki/HTTP_ETag](https://en.wikipedia.org/wiki/HTTP_ETag)

~~~
bbcbasic
ETag is for notifying that content has been updated, so how would you use the
mechanism to log someone in?

~~~
niftich
You can exploit the fact that HTTP caching sends the ETag back and forth. A
server can set a crafted ETag and basically use it as a session ID. See [1][2]

[1] [http://security.stackexchange.com/questions/12679/how-
can-i-...](http://security.stackexchange.com/questions/12679/how-can-i-
prevent-tracking-by-etags) [2]
[https://github.com/lucb1e/cookielesscookies/blob/master/inde...](https://github.com/lucb1e/cookielesscookies/blob/master/index.php)

------
dingdongding
May be you are using Gmail/Facebook login which is already signed in ?

~~~
RickS
Nope - I get auto logged in via their links as well, but don't use any 3rd
party auth.

~~~
tchadwick
Are the links from the emails they send out? Might be a token in those links.
I don't have any quora emails right now to check.

~~~
webrender
The email links definitely contain tokens - not only will they log you in but
the articles they generate on the page will reflect the order of articles in
the email you received, as opposed to the most recent articles on your feed.

