Hacker News new | past | comments | ask | show | jobs | submit login

logging out will cause the captured sessions to be useless.

So remember to logout.

VPN is really the best overall option.

That assumes the session is killed on logout. I know from first-hand experience that at least one version of Merb didn't do that. I hacked a pretty popular geo-socially site by grabbing the session cookie and playing around, then logging out. Was still able check-in after I had logged out and for good measure verified that my session was still valid after changing the password. I assume they were using the default sessions setup so I guess it expired. Didn't keep it around to see how long it stayed around.

On reporting it, the response was essentially, "oh you didn't have to go to that much trouble, you could have just used your user/pass from curl…" Completely obvious to the fact that they're app/site was completely vulnerable to session hijacking.

One of the problems of app frameworks, if you don't know what they're doing (and more importantly, not doing) you can get yourself in a heap of trouble before you even realize there's an issue. But boy, you sure can make it to market fast. shakes head

Most sites don't properly invalidate sessions when you log out, you can't protect yourself as well as you think. See our slide on this topic:


Excellent points on the slideshow. The general lack of care on this topic among web companies is worrisome.

Just tried it with iGoogle

Logging out doesn't kill the session.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact