Sign out in Gmail

Pkpetr · 19 Dec 2020

Please someone help me with the following: Suppose I was reading my emails (in Gmail) using Chrome, and for some reason (PC or browser crashed etc) I did not (or rather could not) sign out. I then decided to sign in to my email using another browser (e.g. Opera), and I did. And, when finished, I signed out. Questions: Am I signed out in Chrome also? When I sign out, how can I make sure that I am signed out in ALL browsers (irrespective of the browser used) in ALL accounts, and irrespective of whether I am using my desktop PC or my laptop? Thanks.

Roderunner · 19 Dec 2020

When you go to your Gmail page, click on the Last account activity ;Details'

townsbg · 20 Dec 2020

Click on the icon in the upper right hand corner, then manage your account. Look for security checkup and from there expand devices. From there you should be able to log out the devices.

Pkpetr · 21 Dec 2020

Let me be more specific. Suppose I didn't sign out of Gmail using Chrome, but later signed out using another browser? Am I still signed in w/Chrome browser? Thanks.

townsbg · 22 Dec 2020

Pkpetr said:

Let me be more specific. Suppose I didn't sign out of Gmail using Chrome, but later signed out using another browser? Am I still signed in w/Chrome browser? Thanks.

Probably. In my experience google keeps you logged in until cookies are cleared. However if you go to security you should be able to see all the logins and log them out as I showed.

samuria · 22 Dec 2020

In the browser click on you account photo top right and choose logout job done

Pkpetr · 23 Dec 2020

file3456 · 23 Dec 2020

Let me answer your question as best as I can as it relates to cookies and how a server (the software) sees them.

From my memory you have two main types of cookies. Persistent and temporary (for perhaps lack of the correct term). Most of the time you're issued a temp cookie unless you check the 'remember me' box. All this does is tell the server you're logged in. If you log into the same website in another browser and then log out, the other browser's cookies will be invalidated since the last season in the other browser was a log out that the server received.

If the cookie is persistent, that will keep you logged in whether you're in another browser or not. There is no signal to the server of a log out so if some black hoodie wearing "hacker" got a hold of that persistent cookie they could use it to gain entry to your account. But, that's ONLY if you did not log out or if the time of the season hasn't expired for the persistent cookie at the server level. Depending on the website, persistent cookies can last for a few hours or forever which would be very bad in terms of security. For my website, and I'd have to check this again, I think I have persistent cookies either last some four hours or twenty four hours. I need to check again.

So in a nutshell:

If the cookie is persistent your login is persistent until actual log out. A capture of that cookie would allow someone into your account, but there are other things involved which goes beyond the scope of this post.

Temp cookies only exist per browser. If you log out in another browser the other browser's cookies are now invalid. They won't work anymore even though in that browser you were logged in. The other browser invalidated the season in this browser.

You can try this yourself. Make sure you're completely logged out of Gmail in both browsers. Now log in with one browser and keep that browser opened. Now open another browser and log in then log out. Go back to the first browser and you should be logged out even though in that browser you didn't. If not, Google is crap in every single security manner known. That tells me you have a persistent cookie season. Knowing them that's probably what it is. I'd have to check.

Four basic security points:

1) Refrain from the remember me option. If it's on by default untick it.

2) Stay away from the lazy method of using Facebook or what ever for single sign on across many sites. This is called OAuth and is in fact a single point of failure.

3) Use unique long complex passwords per website with a password manager. For the computer minded, use Keepass and periodically backup its database all over the place. Use Argon2, ChaCha20 and a keyfile. DON'T LOSE THE KEY FILE! For the not so computer savvy check out LastPass or Dashlane. I think Norton has theirs and there may be others. Not what I would use, but better than nothing. Keepass2Android works with Keepass, and there is an iOS keepass database understanding App, but I can't remember its name.

4) If a website offers 2FA (Two Factor Authentication) in the security options use it. I use Authy for this. DON'T FORGET YOUR AUTHY BACKUPS PASSWORD! Don't use Google Authenticator or the others. Don't use SMS for 2FA. If SMS or email is all they got then it's better than nothing but very hackable with something called a sim card swap.

*BONUS* Use a good, reputable VPN for open WIFI. Better yet, stay the hell off of open WIFI and just use your cell Internet. Tether if necessary.

townsbg · 24 Dec 2020

If you are using public computers you might want to use either cognito mode in Chrome or Private browsing in Firefox. cookies aren't saved so you shouldn't be logged in after you close the window (although I haven't tested this). It also won't save your browsing history either. On public computers that is that is good practice anyway. How to go incognito in Chrome, Edge, Firefox and Safari | Computerworld

Or you can use a portable version of Firefox if you have a USB drive. Mozilla Firefox, Portable (browser) | PortableApps.com