zlacker

[parent] [thread] 2 comments
1. kidsno+(OP)[view] [source] 2018-09-28 17:26:13
Only if the act of logging out explicitly invalidates the token on the server side
replies(1): >>dylan6+vc
2. dylan6+vc[view] [source] 2018-09-28 18:47:16
>>kidsno+(OP)
This is something I would suspect doesn't actually happen. FB wants to track all of the user's browsing habits, so maybe they just make the actual FB UI look logged out? Security-wise, it would seem to be more complicated by their desire to never let a user be logged out, and looks like it's complicated enough it is biting them in the backside. Oops?!
replies(1): >>dasil0+sL
◧◩
3. dasil0+sL[view] [source] [discussion] 2018-09-29 00:48:32
>>dylan6+vc
It’s not really that complicated, you have auth tokens and you have tracking tokens, and you wouldn’t want to mix them anyway because you also want to be able to correlate multiple accounts logged in from the same browser over time.
[go to top]