The #2 most common problem in website security is broken authentication and session management which can expose a user’s account to hacking. Attackers can hijack an active session from vulnerable websites and impersonate a logged-in user. I’ve been asked several times: do I need to log out of websites?
It is critical to log out of a website when you are done using it. The sign-out function immediately invalidates an active session on both the web browser and server. Short sessions reduce the amount of time where a session hijack attack can execute. There are easy ways to log out quickly.
Most websites provide a prominent link, button, or menu option. More sensitive sites like banks and government service websites will automatically log out inactive users. Later, I have some tips for quickly logging out of several sites at once. First, what types of sites should users manually sign out of, and when is it okay to stay logged in?
When It’s Important To Log Out Of Sites
It is essential to log out of websites that store personally identifiable information (PII) and sensitive data. It is critical to sign out of financial and government sites. Logout of email as many services send account recovery and password-less login emails. Signing out ensures session security.
Sites to log out of manually include:
- Financial Institutions: banks, investment accounts, cryptocurrency wallets, and exchanges
- Government Services: tax, licensing, motor vehicle, and benefits administration sites
- Email: school, personal, and especially work email accounts.
- Cloud Storage: online file sharing, document storage services, photo, and video sites
- Shopping: any online store that stores your PII and payment information like credit card numbers
It’s not just certain types of sites where it’s important to log out.
When you use a shared computer or mobile device, sign out of each website as soon as you’re done using the service. You need to make sure that someone using the laptop or tablet will not find your active session.
Consider a shared devices a toxic situation!
Computers in computer labs, hotel business centers, libraries, or even shared among roommates should be avoided and never used when possible. Attackers with physical access to a device have multiple ways to establish an active session in your accounts.
But even using a personal device in a public space increases the possibility of having an account compromised. Shoulder surfing and attacks via public WiFi are easily executed, often requiring little skill.
It’s just a good practice to always sign out of a website once you’re done. …but are there times or certain types of sites that it’s okay to remain logged in?
When It’s Okay To Stay Signed In
It is okay to stay signed in on websites that do not have personally identifiable information. Examples of lower-risk sites include forums, social networks, and online tools. Users with full physical control of their device and a private data connection may remain logged into frequently-used sites.
Online tools are a site category where it’s safer to stay signed in for extended periods. Tools like recipe sites, online educational platforms, movie and TV databases, and even news sites are generally less likely to be attacked. These websites are less likely to be attacked and, if breached, contain less valuable information.
|Caveat: If you’ve reused a username and password on both lower and high-risk sites, you’ve put the higher-valued site at risk. Password re-use is #1 item on our password checklist.|
Online forums and privacy-respecting social networks that allow users to use their platforms without collecting too much PII are generally safe to keep an active session. I generally trust open-source, federated social media sites more than their corporate cousins for collecting less user data.
Some websites and services notify users of new sessions, offer the ability to see other active sessions, and remotely log out of unauthorized sessions. Users who are less concerned with the potential for session hijacking may decide to stay logged into these types of sites.
Answering this question will tell you if you should log out of a website:
Will a hack of my account in the next 10 minutes take me 10 days (or more) to recover from?
You can take this test a step further. What is your hourly pay rate? Let’s say you get paid $10 per hour.
$10/hour x 8 hours x 10 days = $800
If clicking the logout button takes 10 seconds, this costs you…
$10 / 60 minutes / 60 seconds x 10 seconds = $0.0278
So, let’s compare:
$800 to clean up a possible account hack
$0.03 to click a logout button
I know: This is way over-simplified, but the cost comparison is clear:
You’re better off signing out of websites.
How To Log Out of a Website If There’s No Logout Button
Modern websites with user accounts or profiles have a logout button though it may not be prominently displayed. First, look for a sign-out option by expanding the main menu. Alternatively, type Ctrl-F and search for terms like log out, exit, or sign out. Some sites may only have a logout icon.
You may find icons that look like these
Some sites have an automatic logout feature. After a pre-defined period of inactivity, the site will automatically log you out and redirect your browser back to the home page or login screen.
If you’re unable to locate a log-off option, use the help, support, or “contact us” page of the site to ask how to log off correctly.
Alternatively, you can leverage your browser’s settings to clear an active session:
- Open any regular browser window or tab (not an incognito or private one)
- Use the shortcut key combination to jump to your browser settings to clear browsing data
a. On Chrome, Edge, Brave, & Firefox
Windows or Linux: Press Ctrl+Shift+Delete.
Mac: Press Command+Shift+Delete.
b. Select the option to clear for the last day or longer
Note: This method only clears the session information from your browser’s local storage and cookies. It does not expire the session on the server. These steps are only a half solution.
How To Log Out of Several Websites Automatically
To log out of several websites automatically, use incognito or private browsing mode every time you use a browser. Bookmarks reduce reliance on history autocomplete. A password manager replaces keeping active sessions. Session hijacking may still be possible but can be thwarted in other ways.
Yeah, using private or incognito mode all the time sounds like a ridiculously annoying usage pattern. Trust me, it took a couple of weeks for me to realize it wasn’t all that bad.
Remember that humans have a superpower: We get used to new situations pretty quickly. We’re adaptable. Give this “always in private or incognito mode” a try.
It’s nice to know your browser is logged out, and a new session would need to be activated for someone who might gain access to your device.
Note (Again): This has the same problem as the previous section. It only clears the session cookies and local storage from your browser and does not expire the session on the webserver.
But there’s a better solution that clears the local and server sessions.
How To Sign Out of Several Websites With 2 Clicks
To sign out of several websites at once, users can collect logout addresses into a bookmarks folder. Web browsers can launch multiple bookmarks simultaneously from a bookmark collection. At the end of a session, users can launch their sign-out bookmarks then close their browser.
This method signs out of both the local browser and remote server sessions.
Here are the step-by-step instructions to create a Logouts bookmarks folder:
- Create a bookmarks folder in your browser called Logouts.
- Find the log-out link/URL address for a target site and copy it to your clipboard. This may require some guesswork.
- Save a bookmark to any page on the site into your Logouts folder
- Right-click the bookmark and choose the Edit or Properties menu
- Simplify the name of the bookmark.
- Paste the URL or address to the sign-out address you found in Step 2.
- Save the edited bookmark
- Repeat Steps 2-7 for each site you regularly use
- When you’re done with your session, right-click (#1) your Logouts folder and click (#2) Open all or Open All in Tabs.
- Wait for all the pages/tabs to load, then close your browser.
I’ve tested a few browser extensions that claim to log out of services for you. These are generally clunky and/or poorly programmed. The method I outlined above is private and a native solution within your browser…instead of something you add to it.
Should I Log Out of Websites On A Smartphone?
Generally, it is a good idea to log out of websites in a smartphone’s mobile browser. It is not necessary to sign out of native smartphone apps which use different session handling. Mobile operating systems and app developers have several security layers making attacks harder to accomplish.
For high-value services, mobile app developers will also program additional security measures.
Your bank’s mobile app usually includes security features like:
- PIN or biometric requirement to launch
- Short automatic sign out timeouts
- Disabling the operating system’s screenshot function
- A multi-step, initial sign-in procedure
If you’re not using a native app, remember that the mobile web browser has roughly the same code and same vulnerabilities that a desktop browser has. You should log out of any browser-based application or website when you’re done using it.
What Happens When You Forget To Logout
If you forget to log out of a website, know that most websites automatically invalidate inactive sessions. Users can re-open browser tabs to properly sign out. Clearing browser data can also help mitigate session hijacking. Some websites or services provide remote log-out functionality.
Usually, a website’s developers program in the expiration of inactive sessions. One hour is generally a default, but the programmers will shorten this automatic timeout for more sensitive sites.
Users can open previously closed tabs by using the keyboard shortcut Ctrl-Shift-T. After your closed tab opens again, find the logout button or menu option to manually expire your session. This tip will only work in regular browser tabs that track your history, not incognito or private browsing mode.
Some multi-platform sites/services list your sessions and allow you to log out other active sessions remotely.
A select few websites will automatically log you out of older sessions upon establishing a new one.
Logging Out When Using Social Log In Buttons
Understand that social login buttons do not control sessions on the third-party sites that implement them.
These buttons only help create an account and establish a new session for the third-party site.
Suppose you create a user profile on The Hot New Social Network (THNSN) using a Facebook login button. In that case, that transaction is recorded by Facebook who passes some of your basic information to THNSN.
You can go to Facebook and revoke the ability of THNSN, but this does not log out of your session on the third-party site nor delete your THNSN account.
You’ll have to do session handling with THNSN yourself.
|You give up more of your privacy when you use social login buttons. Here’s a quick read about those login with Google or sign up with Facebook buttons.|
Okay. So how do hackers get my active session in the first place?
How Hackers Hijack Session
In the dark corners of the internet, hackers buy and sell information and access to make a living.
They’re getting paid for things like access to a social profile for users, email addresses, or another sensitive account. They also trade and post sensitive files or other digital content.
One way to get access is to hijack an active session. This exploit is called a man in the middle (MITM) attack. But once an exploit is found, this type of attack becomes a “machine in the middle” attack and can be executed very quickly.
When you log into a website, your browser sends your login credentials and receives a session token or cookie. Each time your web browser loads a new page or resource, this session token goes to the site to validate that you’re logged in.
When you sign out of the website, the server stops accepting your session identifier token.
Session hijacking via a MITM attack works by intercepting then relaying an active session, essentially eavesdropping on the victim’s traffic.
The hacker can also piggyback their own traffic on the session. Since the attacker is impersonating the victim’s identity, they can exfiltrate the same content and data the user has access to. The hijacker can also update, delete, and lock out the victim taking control of the account.
…definitely an attack worth defending against by simply clicking the log-out button.