• 7heo@lemmy.ml
    link
    fedilink
    arrow-up
    59
    arrow-down
    2
    ·
    1 year ago

    Server side sessions are still valid until you signal to the server to invalidate (destroy) them.

    That’s why “signing off” isn’t remotely the same as deleting cookies, and that’s why jwt are fundamentally a bad idea, especially without expiration.

    This meme is wrong. It’s the logical equivalent to saying that “extinguishing a fire” and “closing your eyes” are the same thing (as it makes the fire disappear to you), but that closing your eyes is just more convenient.

  • mle@feddit.de
    link
    fedilink
    arrow-up
    33
    ·
    1 year ago

    Automatically clear cookies on browser exit, only whitelist the couple of websites you use regularly.

    Has the added benefit of making tracking cookies fairly (but not completely) useless

      • archchan@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        That’s still good practice but first party cookies aren’t exactly trustworthy either. IMO, best to whitelist what you trust and use, permablock what you don’t, and auto-wipe the rest.

          • Daniel@lemmy.mlOP
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Cookies used by the site, third party would be cross origin.

            (I think)

              • 0xD@infosec.pub
                link
                fedilink
                arrow-up
                2
                ·
                1 year ago

                To be precise, first-party and third-party just means whether the cookie set is for the domain you are currently on, or for another one. The latter do not have to be tracking cookies, but are often used as such. You can see the cookies that your browser is storing for a specific site by visiting it and looking at them in the developer tools (Storage or Application tab, depending on browser). Under the “domain” column you can see what domain it is for.

                Furthermore, there you can look at the Local Storage and Session Storage tables which are also often used to store tracking data but are not prevented by cookie deletion.

  • Izzy@lemmy.ml
    link
    fedilink
    arrow-up
    12
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Only ever using private windows and then alt F4ing to automatically delete all session data.

    • ShustOne@lemmy.one
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      These days you’ll need to clear localStorage, sessionStorage, and localDb to really do this. The rise in tokens means some sites only use those.