?? Completely quit your browser after connecting to sites that require logging in ??

[latrosicarius]

I have heard that you have to close your browser after visiting a secure page in order to stay safe. Is this really true?

I'm not so much worried about someone walking up to my computer and re-logging-in when I'm not looking... I lock the desktop when I'm away. I'm more worried that if I don't close the browser, the next site I visit might see my POSTDATA or previous URL or something and be able to get my login name + pass that way.

What about in FireFox --- does closing the Tab work or does the whole thing need to be closed?

http://www.washington.edu/computing/...practices.html

Completely quit your browser after connecting to sites that require logging in

Browsers remember your ID and password until you completely quit the browser. Simply closing the window you logged in to the service will not clear its memory. You must close all windows of the browser program and quit the program itself.

Otherwise, after you leave your computer, someone could bring up one of the unclosed windows, go to the service, and get in without being prompted for an ID or password. The browser will thoughtfully provide the ID and password from its memory.

In a related situation, anytime you have to give your UW NetID and password to get into a computer, such as in a computer lab or when using a kiosk, you should go through the complete logout and exit process before leaving the computer. DO NOT just walk away from your session.

Thanks

[peterb]

Yes. To be absolutely sure - shut down the browser. (Whichever one you are using). This will ensure that the secure session terminates.

[Andaho]

If it's an important site like online banking, they have a logout button - it's best to always click that before browsing else-where, and that insures your account cannot be accessed without signing it again - although you can still sometimes press the back button to see a cached copy of the page you were on.

[peterb]

Incidentally, if you have multiple copies of IE running (multiple windows) you need to shut them all down to bve sure of ending a password enabled session (ie, remove the cached password)

[cotswoldcs]

I must say I'm not very good at logging out of internet banking sites - I usually close the browser of navigate elsewhere. Like you I'm not worried that someone might access my computer but if there is a risk by browsing other sites without logging off first maybe I will have to rethink my security.

[latrosicarius]

Thanks for the tips I guess I'll keep closing it. And pushing log off of important sites like banks.

[dancingmatt]

Very interesting, I do logoff from banking but not always when shopping - and often have loads of browser windows on the go.

Thanks all

DM

[Paul Adams]

It is most likely referring to "session cookies".

A browser opens a page on a website and the user enters some credentials which are stored in the memory of the browser process so that you can navigate between pages on that site without being prompted on every page to re-authenticate.

Navigating away from the page, or even the site, does not clear session cookies - so you can go through the browser history to return to the site later without needing to authenticate.

If you close the browser, the process is terminated and all the memory released - open the browser again and you will need to authenticate once more.

Alternatively, the website provides a "log out" button which erases the session cookie information, so navigating back to the page doesn't automatically authenticate you.

Note that this is per process, so a single instance of a browser with multiple tabs will be sharing memory, but separate browsers will have their own private session cookies.


"Permanent" cookies are stored as files on disk, to allow things like auto-logons for sites such as this one, for example.

With these cookies used, multiple browsers would be reading from (and writing to) the same cookie file.


HTTPS sites requiring authentication should only ever use session cookies, to ensure that a "genuine" logon is occurring.

[merdat]

You are best to use any log out facilities that are on the sites especially on line banking ones. I try not to leave hexus without logging out -just habit.

If you are really worried than run ccleaner before resuming browsing that should clear your cookies.