> There are many more opportunities for an attacker to reuse a stolen cookie.
Why would an attacker wait to use a stolen cookie? Does this actually increase the attack surface, or simply just put the bad guy on a shorter timetable?
Also every time someone visits your site you could delete their old token and save a new one. That way stolen cookies only last as long as until the page is re-visited.
> There are many more opportunities to exploit a CSRF vulnerability if users are always logged into the target site.
That argument is valid for most sites, even sites who's sessions only survive until the browser is closed. At this stage in the game it is barely a real argument as so few sites log you out within a reasonable time frame.
> Users might be under the impression that when they close the browser, they'll be logged out. Breaking this expectation can have privacy implications. For this reason, I think it would be good to have a "Keep me logged in" checkbox, even if it is checked by default.
Aside from banking sites, how many sites log you out right now when you close the browser? I cannot think of many. I'm all for having a logout button. I would expect public computers to be set up to clear the browser's history, cache, and cookies when it is closed like every modern browser supports.
> Many people, especially the poor, still use computers that are either shared (with family and/or friends) or public (schools, libraries and Internet cafes). Although these people probably only make up a small minority of your userbase, I think it's important to afford them no less security than you do your other users.
Most shared/public computers are set up specifically to delete browser information upon exit for this very reason. If you are going to design every website on the internet for the one or two places who have their machines set up horribly poorly, then you really are targeting the lowest common denominator.
Why would an attacker wait to use a stolen cookie? Does this actually increase the attack surface, or simply just put the bad guy on a shorter timetable?
Also every time someone visits your site you could delete their old token and save a new one. That way stolen cookies only last as long as until the page is re-visited.
> There are many more opportunities to exploit a CSRF vulnerability if users are always logged into the target site.
That argument is valid for most sites, even sites who's sessions only survive until the browser is closed. At this stage in the game it is barely a real argument as so few sites log you out within a reasonable time frame.
> Users might be under the impression that when they close the browser, they'll be logged out. Breaking this expectation can have privacy implications. For this reason, I think it would be good to have a "Keep me logged in" checkbox, even if it is checked by default.
Aside from banking sites, how many sites log you out right now when you close the browser? I cannot think of many. I'm all for having a logout button. I would expect public computers to be set up to clear the browser's history, cache, and cookies when it is closed like every modern browser supports.
> Many people, especially the poor, still use computers that are either shared (with family and/or friends) or public (schools, libraries and Internet cafes). Although these people probably only make up a small minority of your userbase, I think it's important to afford them no less security than you do your other users.
Most shared/public computers are set up specifically to delete browser information upon exit for this very reason. If you are going to design every website on the internet for the one or two places who have their machines set up horribly poorly, then you really are targeting the lowest common denominator.
Alternatively just add a logout button.