Advertisement
How to add spoiler tags, edit posts, add images etc. How to - a user's guide to the new version of Boards
Mods please check the Moderators Group for an important update on Mod tools. If you do not have access to the group, please PM Niamh. Thanks!

How does gmail keep track of my sign-in status ?

  • #1
    Registered Users Posts: 58 ✭✭ ZoZoZo


    Hi,

    I'm trying to figure out how gmail keeps track of my signed in status. eg. if another site offers the option 'Sign in with Google' I enter my gmail credentials to get access to another site, if I then open Gmail in another tab it goes straight to my inbox (no credentials required) so it is clearly keeping track of the fact that I already logged in (albeit on another site). So, I'm trying to figure out how Google keeps track of my signed-in status ? I would have assumed it was via a cookie. So I go to Firefox -> preferences -> Privacy & Security -> Clear Data.
    After this Firefox lists:
    Cookies and Site Data (0 bytes)
    Cached website content (0 bytes)
    Yet if I open gmail in a new tab I'm still getting straight through to my inbox, no credentials required. So, how is Google doing this ? It's highly undesirable and very creepy. Does this suggest a bug in Firefox (that its not actually clearing data as it should) ? I'm using version 87.0 on Ubuntu 18.04 LTS.

    Thanks,

    Zozo


Comments



  • You are signed in on your device, not just your browser. On your google account Security settings you can see what devices are signed in. Google uses OAuth protocol for any third party "Sign In with Google" API access.

    see myaccount.google.com for devices signed in




  • > You are signed in on your device, not just your browser
    Well this sounds even more disturbing. So you are saying Google has planted something like a cookie somewhere on my hardware that my browser is unaware of and therefore is unable to delete. Where is this information stored and how do I delete it ?

    And how does this work exactly if its just identifying the device then does this mean if someone else uses a different account on the same device they can see my inbox ? This seems like a security nightmare.




  • Just tested this with a fresh Firefox profile (87.0, Windows 10):
    1. Sign in at mail.google.com
    2. Tools => Options => Privacy and Security => Clear Data => Clear
    3. Refresh the mail.google.com tab
    Result: need to sign in again. So it looks like a problem specific to your setup OP. Unless you can replicate it in a fresh Firefox profile?

    Boardsie Enhancement Suite - a browser extension to make using post-migration Boards on desktop a better experience (includes full-width display, keyboard shortcuts, and a dark mode setting)





  • ZoZoZo wrote: »
    > You are signed in on your device, not just your browser
    Well this sounds even more disturbing. So you are saying Google has planted something like a cookie somewhere on my hardware that my browser is unaware of and therefore is unable to delete. Where is this information stored and how do I delete it ?

    And how does this work exactly if its just identifying the device then does this mean if someone else uses a different account on the same device they can see my inbox ? This seems like a security nightmare.


    A lot of apps now use the Google api to facilitate a single sign-on type user experience, there's more to websites than cookies and cache as companies use persistent browser functionality and google services running in the background on most devices to sync or wait then sync when next connected to the internet, always-on type services.

    Stay signed in or out of your Google Account


    Turn sync on and off




  • 28064212 wrote: »
    Just tested this with a fresh Firefox profile (87.0, Windows 10):
    1. Sign in at mail.google.com
    2. Tools => Options => Privacy and Security => Clear Data => Clear
    3. Refresh the mail.google.com tab
    Result: need to sign in again. So it looks like a problem specific to your setup OP. Unless you can replicate it in a fresh Firefox profile?


    When I do this on my setup after step 3. I still get straight to my inbox, no sign-in required, although ironically, at the Clear Data step a pop-up warns me 'this may sign me out' of any websites I'm logged into. The fact that they use may is a bit disturbing and indeed the fact that I don't get logged out in the case of gmail.

    I have found that if I close Firefox altogether and then relaunch it and go to gmail I am logged out. So this is looking more and more like a bug in Firefox on Linux.



    But from DeaconSheridan's link:


    If you're using a public computer or someone else's device:
    1. Browse in private.
    2. When you’re done, close all private browsing windows. You'll be automatically signed out.
    Note this says close all private browsing windows as opposed to tabs which I guess suggests that what I'm seeing is expected although that wouldn't explain how Google are doing this, as I certainly haven't knowingly installed any Google services that could be running in the background on my system. Moreover it doesn't explain why the same thing doesn't happen on Windows 10.



    Zozo


  • Advertisement


  • ZoZoZo wrote: »
    although ironically, at the Clear Data step a pop-up warns me 'this may sign me out' of any websites I'm logged into. The fact that they use may is a bit disturbing and indeed the fact that I don't get logged out in the case of gmail.

    They say may because not all sites use cookies or local storage to persist sessions. Sites can use IDs in the URL or query string, they may use NTML, they could even use IP address if they wanted.




  • As they say, a little knowledge is a dangerous thing.





  • How can one trust website XYW has a bona fide 'Sign in with Google' and it isn't just taking your login credentials?





  • Because the first step of "Sign in with Google" is to take you to https://accounts.google.com/o/oauth2/v2/auth/... So long as the URL is HTTPS and on the Google domain, XYW can't fake that.

    Now, if the site says "put in your google password in this text box =>" and you do, then yes, you're screwed

    Boardsie Enhancement Suite - a browser extension to make using post-migration Boards on desktop a better experience (includes full-width display, keyboard shortcuts, and a dark mode setting)





  • Session cookies allow the functionality you describe:

    Session cookie

    session cookie (also known as an in-memory cookietransient cookie or non-persistent cookie) exists only in temporary memory while the user navigates a website.[21] Session cookies expire or are deleted when the user closes the web browser.[22] Session cookies are identified by the browser by the absence of an expiration date assigned to them.

    Source: HTTP cookie - Wikipedia


    Since these do not exist as a file using "Clear Data" will not remove them, you need to close the browser. As well as allowing you to log in automtatically, session cookies are susceptible to hijacking which will give an attacker the same level of access:

    Session hijacking attack Software Attack | OWASP Foundation



  • Advertisement


  • https://coveryourtracks.eff.org/ = Your browser fingerprint appears to be unique among the 218,645 tested in the past 45 days.

    They haven't needed cookies for a long time.

    Timing, location, and other metrics can also localise you.



Advertisement