Session Fixation Flaw Keeps Cookies Alive for Major Services after Logout

A new flaw in cookie handling that makes log-ins persistent has been discovered by security researcher Rishi Narang.

When a user logs into an account, the server sends a cookie ” a small piece of text ” that holds his session ID and tells the server he successfully passed authentication and should be served content without a further log-in prompt when navigating between pages.

Cookies are set to expire, either when they reach their validity date, or when the user logs out. The new discovery, however, reveals that a number of websites such as Yahoo, LinkedIn and Twitter still keep the cookie/session ID for an authenticated session valid even if they have expired or the user has logged out of his account.

According to the researcher`s report, old cookies for these services can be simply added to the browser and they become valid immediately, even if they are expired or nulled via logout.

“”¦These cookies are days (sometimes months) old. As a result, someone can successfully access accounts that belong to individuals from different global locations. Even if they would have logged-in/logged out many a times, theirs cookie would still be valid,” reads the blog post.

The situation is even worse for Yahoo users. Earlier this year, a spam message redirected users to a malicious page where they had their cookies stolen. Most have been advised to simply log out of Yahoo services to render the stolen cookies useless for the attacker. If today`s report is true, some of the unauthorized account usage reports may still be the result of the cookie harvesting campaign in January, although those cookies should have gone rotten quite a while ago.