Login, Logout, Reset: Measuring Security and Privacy Issues in Real-World Web Logins
摘要
Secure session termination is essential for protecting user accounts on the web, especially after sensitive actions such as logging out or recovering a password. While prior work has largely examined cookie invalidation, we investigate the less-studied problem of token invalidation in real-world web applications. Specifically, we focus on JSON Web Tokens (JWTs) to look for invalidation flaws, as JWTs are stateless and require web servers to implement a separate invalidation mechanism for instant invalidation. We present LoginPlus, an automated system that performs user registration, login, and password recovery across websites at scale. Using LoginPlus, we audit the top one million sites from the Chrome User Experience Report (CrUX) to identify flaws in token invalidation. Our study finds that 85% of sites using JWTs for authorization fail to invalidate tokens upon logout. We also observe that 2.67% of sites log users in through email-based verification links, and among these, 48% fail to invalidate the link after 24 h. In addition, 13% of password recovery links remain valid even after use, and 51% of sites do not terminate prior active sessions after a password reset. These findings reveal widespread shortcomings in how tokens are managed after authentication, with critical implications for user privacy and session security. Our work underscores the need for stronger logout and token lifecycle practices in modern web authentication systems.