I was wondering if there is a difference between logging off a internet banking session or if you just close the tab? Is there a security threat where some third party may keep the session "alive" when you closed the tab?
-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: Have you ever been to an airshow?
"log off" or close the tab
- Thread starter janplank
- Start date
biometrics
Honorary Master
- Joined
- Aug 7, 2003
- Messages
- 71,856
- Reaction score
- 2,239
I'd say in theory it's possible to re-establish the connection with the existing cookie. Logging out clears the cookie.
RoganDawes
Expert Member
Correct. The cookie (assuming a session scoped cookie) remains in your browser as long as the browser itself is running. While the cookie will typically have an inactivity timeout on the server, set to 30 minutes for example, other sites may make the timeout significantly longer.
If someone opens a tab in your browser, and goes back to an authenticated page (i.e. one that would check the session linked to your cookie) before the timeout, they would likely be able to access your authenticated session.
Actually following the "Logout" link should invalidate the session linked to the cookie (i.e. delete all the variables stored in the session), and typically set the cookie to "" at the same time.
biometrics
Honorary Master
- Joined
- Aug 7, 2003
- Messages
- 71,856
- Reaction score
- 2,239
Little, depending if you practice safe computing.
RoganDawes
Expert Member
Indeed. The attacker would need to get access to your computer somehow, or else have found a Cross Site Scripting vulnerability in the site you are logged into which would allow them to steal your cookie. Forcibly logging out limits the time that that cookie remains valid for, and terminates its usefulness for an attacker who may have stolen it, whatever the means.
So ultimately, yes. It is best practice to actually "log off", rather than just closing the window. Some sites try to catch the windowClosed event, and execute the logoff for you, but this is browser dependent, IIRC, and doesn't always work.
The_Unbeliever
Honorary Master
Some banking sites logs you off after a few minutes.
I usually closed the tab because it's only myself using that PC, but in future I'll be more careful.
I usually closed the tab because it's only myself using that PC, but in future I'll be more careful.
KleinBoontjie
Honorary Master
When I close a tab, while logged into FNB on that tab, I see a little window popping up and show that it's closing a session with FNB. But I still feel safer logging out myself.