Secure session termination is essential for protecting user accounts on the web, especially after sensitive actions such as logging out or recovering a password. While prior work has largely examined cookie invalidation, we investigate the less-studied problem of token invalidation in real-world web applications. Specifically, we focus on JSON Web Tokens (JWTs) to look for invalidation flaws, as JWTs are stateless and require web servers to implement a separate invalidation mechanism for instant invalidation. We present LoginPlus, an automated system that performs user registration, login, and password recovery across websites at scale. Using LoginPlus, we audit the top one million sites from the Chrome User Experience Report (CrUX) to identify flaws in token invalidation. Our study finds that 85% of sites using JWTs for authorization fail to invalidate tokens upon logout. We also observe that 2.67% of sites log users in through email-based verification links, and among these, 48% fail to invalidate the link after 24 h. In addition, 13% of password recovery links remain valid even after use, and 51% of sites do not terminate prior active sessions after a password reset. These findings reveal widespread shortcomings in how tokens are managed after authentication, with critical implications for user privacy and session security. Our work underscores the need for stronger logout and token lifecycle practices in modern web authentication systems.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Login, Logout, Reset: Measuring Security and Privacy Issues in Real-World Web Logins

  • Kazi Farhat Lamisa,
  • Mohammad Mannan,
  • Amr Youssef

摘要

Secure session termination is essential for protecting user accounts on the web, especially after sensitive actions such as logging out or recovering a password. While prior work has largely examined cookie invalidation, we investigate the less-studied problem of token invalidation in real-world web applications. Specifically, we focus on JSON Web Tokens (JWTs) to look for invalidation flaws, as JWTs are stateless and require web servers to implement a separate invalidation mechanism for instant invalidation. We present LoginPlus, an automated system that performs user registration, login, and password recovery across websites at scale. Using LoginPlus, we audit the top one million sites from the Chrome User Experience Report (CrUX) to identify flaws in token invalidation. Our study finds that 85% of sites using JWTs for authorization fail to invalidate tokens upon logout. We also observe that 2.67% of sites log users in through email-based verification links, and among these, 48% fail to invalidate the link after 24 h. In addition, 13% of password recovery links remain valid even after use, and 51% of sites do not terminate prior active sessions after a password reset. These findings reveal widespread shortcomings in how tokens are managed after authentication, with critical implications for user privacy and session security. Our work underscores the need for stronger logout and token lifecycle practices in modern web authentication systems.