Exiting HTTPS web sites

[D.Duck]

When leaving a HTTPS site is there a preferred method to exit. That is,
just close IE or is it important to click the sites "Log-Off" button.

Do both totally close the connection?

Thanks

 

[Thee Chicago Wolf]

When leaving a HTTPS site is there a preferred method to exit. That is,

just close IE or is it important to click the sites "Log-Off" button.

Do both totally close the connection?

Thanks

Always use the logoff when possible otherwise it may continue to keep
your logged-on session open on the remote https server and can
possibly prevent you from logging on until the logged-on session times
out due to activity.

- Thee Chicago Wolf

 

[D.Duck]

Always use the logoff when possible otherwise it may continue to keep
your logged-on session open on the remote https server and can
possibly prevent you from logging on until the logged-on session times
out due to activity.

- Thee Chicago Wolf

Thanks. Is there any security problem by not using the "log-off" method?

 

[Thee Chicago Wolf]

Thanks. Is there any security problem by not using the "log-off" method?

Well, what sometimes happens when, let's say, you have two sessions of
Internet explorer or Firefox open and you close the session that you
were using to check you bank account, if you open a new browser window
and navigate back to your bank web site, more often than not, it'll
still think you are logged in because you have not closed ALL of the
Internet Explorer or Firefox windows. Something like that *could* be
exploited if you were to walk away from a computer and someone jumped
onto it and visited your bank web site hoping the session was still
active due to all the browser windows not being closed. The browser is
basically not released from system memory until it and all it's
windows are completely shut down. That will kill any sessions you
might have had running and will require you to log in if you were to
start the browser back up and visit the web site. Mind you, this
doesn't take into account Internet Explorer or Firefox's password
managers that might have been told, through user confirmation, to
always remember the password for certain sites. Play it safe, log off
properly, don't use password managers if you can help it (or just have
a bad memory for usernames and password). Hope that helps.

- Thee Chicago Wolf

 

[Plato]

When leaving a HTTPS site is there a preferred method to exit. That is,
just close IE or is it important to click the sites "Log-Off" button.

Do both totally close the connection?

Always use the log off tab if it's there.

 

[D.Duck]

Well, what sometimes happens when, let's say, you have two sessions of
Internet explorer or Firefox open and you close the session that you
were using to check you bank account, if you open a new browser window
and navigate back to your bank web site, more often than not, it'll
still think you are logged in because you have not closed ALL of the
Internet Explorer or Firefox windows. Something like that *could* be
exploited if you were to walk away from a computer and someone jumped
onto it and visited your bank web site hoping the session was still
active due to all the browser windows not being closed. The browser is
basically not released from system memory until it and all it's
windows are completely shut down. That will kill any sessions you
might have had running and will require you to log in if you were to
start the browser back up and visit the web site. Mind you, this
doesn't take into account Internet Explorer or Firefox's password
managers that might have been told, through user confirmation, to
always remember the password for certain sites. Play it safe, log off
properly, don't use password managers if you can help it (or just have
a bad memory for usernames and password). Hope that helps.

- Thee Chicago Wolf

Thanks to Plato and you for the insightful information.

 

[Twayne]

When leaving a HTTPS site is there a preferred method to exit. That
is, just close IE or is it important to click the sites "Log-Off"
button.
Do both totally close the connection?

Thanks

No. If you logged on, be sure to log off, THEN close the browser
window. Most will eventually time out if you just leave the site
without signing out, but that length of time varies. It's an
opportunity for someone else to peruse your data if you haven't logged
out.

Logging out does not necessarily close the connection: In fact, most of
the time they take you to a screen where you can log back on.

 

[Tim Slattery]

Thanks. Is there any security problem by not using the "log-off" method?

Yes. As long as your session remains open, the remote server will
accept a transmission containing the session cookie that's been being
sent back and forth as legitimate. It's a long shot to be sure, but
somebody could have been listening in and catching the session cookie,
and could then use it after you abandon the session.

The fact that you're using HTTPS rather than HTTP (you did specify
that), makes it *much* less likely that somebody could decrypt the
session cookie before the session times out, of course. And the server
will close the session after some period of inactivity.