Remembering the login and password information and having to type it in every time you come to a website might be one of the most annoying features of the internet. There are many great tools to help you remember your many passwords, like lastpass.com for example. But once you have logged in you want your browser to remember you, and trust you so that you do not ever have to do it again. The last thing you can think of is voluntarily clicking on the log-out button, right?
What does log-in and log-out do?
The login procedure serves a couple different purposes. It verified that the user name you provided exists in the records for the site and that the password matches. It grants you the privileges on the site that match your credentials – you can be a regular user, have access to premium content, or even be an administrator. An important thing to know about websites is that they do not retain any information from one page view to the next. The only memory the browser has is the information saved in what’s called “Cookies” and “Session”. Without these you would have to log into the site with every page change.
When you log in a “session cookie” is created to “remember” who you are and that you have already logged in. When you log out the “session cookie” is destroyed.
Session cookie security
Stealing the session cookie from you gives someone else full access to the website as if they were you. A stolen cookie would bypass two-factor authentication, IP verification and all other security checks. The session cookie is the most coveted prize for a hacker. A cookie can be stolen from your browser by a piece of malware unknowingly installed without you ever being aware of it. The hacker will have access to your site as long as the session cookie is valid. You can read more about the stolen session cookie statistics here.
The importance of logging out
When you log out (yes, click on the “log out” button) the session cookie is destroyed. All the stolen copies of your session cookie are now invalid and the hacker loses access to the site you were logged into.
WordPress Implications
A typical WordPress session is valid for 48h. If you click on the “remember me” button your session cookie is valid for 14 days. If you have administrator privileges, do not check the “remember me” box and always log out from your session when you are done working.
WP CLI gives you opinions to close sessions for specific users (wp user session destroy). You should also periodically update the salts (wp config shuffle-salts) which will close all active sessions.
Leaving your session open is like leaving your house doors unlocked. Are you suspecting your site might be compromised? Our developers can help you scan the site and establish good security routines.
Photo by PhotoMIX Company: https://www.pexels.com/photo/black-handled-key-on-key-hole-101808/