Sunday, May 22, 2011

Making logout a bit more complicated

An established and most often applied design principle in the field of web application security is to provide users with a logout button on every page of an application. Ideally, this button is always in the same place so that users can leave the application with one click on a defined spot. Making logout as simple as possible and having users actually using the logout function leads to the prevention of a number of possible attacks. Cross-site request forgery, session hijacking or just someone using the same computer and thereby getting access to the session are a few examples.

However, some popular platforms seem to prefer making logout a bit more complicated. Google Mail and Facebook are just two examples:

As you can see, logout needs at least two clicks, which might leads to a decrease of the total number of users actually using the logout button. While this leads to a decrease in security, it also leads to an increase of privacy problems.

Popular platforms want your session to be established as long as possible, in order to be able to track which web sites you use and gather as much information about a person as possible. Social media plugins like the Facebook like button just come in handy in this process, as third party cookies and of course your current IP address are visible to the respective platforms when you access external sites with these plugins integrated. So long, happy tracking!

1 comment:

  1. It's the same with LinkedIn - the logout button is hidden behind the users's name, though you don't need to click twice, just hover over it.