Mail Cookies Issue

From ThePlaz.com

Jump to: navigation, search

This is a Tech post I made at TWiT.tv on 24 March, 2006 - 4:54pm in response to Security Now Episode 32 about the way I think cookies are handeled in the browser.


I think I know what the cookie issue is for any type of web-based log in service. When you log in, a session cookie is stored on your machine. This cookie is absolutely necessary on a normal website. When you go from page to page, the session cookie keeps you logged in for each page. Without it, you would need to log in before you can view each and every page. (And therefore you couldn't view any pages because your log in would be lost bringing up that page, therefore returning you to the endless cycle of log in pages.) AJAX might be different because you might never leave the web page. [I’m not sure, although.] A session cookie is absolutely necessary for a log on system. That is why some sites say you need cookies enabled to log in (and even if they don’t say it, you still need cookies.) And that is why you can never disable cookies in your browser.

Most sites have some sort of "remember me" checkbox (including Google/Gmail). (Some have the opposite, a "public computer" checkbox.) When you check “remember me”/don’t check “public computer,” the site leaves a persistent cookie on your computer. This can keep you logged in between computer sessions without seeing the log in page. Some sites are now just storing your user name/email, not your password in the persistent cookie. When you return, they still show you the log on page, but fill in your email address already for you. You still need to put in your password for reasons as "dusanmal" mentioned (if someone gains physical or cookie-storage-location [mabey?] access to your machine). Some sites (Microsoft Passport) give you the option to save both your email and password or just email address. Some sites, like Yahoo! did (I don't think they still do) would keep both your email and password in a persistent cookie for the time of your choosing (like Leo mentioned) and also keep just your email/user id in another cookie for when the other one expired. Google does not offer that, so Leo couldn't find that option.

So at public computers: 1. Don't check "remember me" or check "public computer" (depending on what is offered.) 2. Close your browser window to delete the session cookies. 3. Better yet, hit "log out" to delete the session and persistent cookies.

-Michael Plasmeier plaz[{(at)}]theplaz[{(dot)}]com

(PS, Steve what do you think of this article: http://redtape.msnbc.com/2006/03/the_real_threat.html ?)