An under-appreciated aspect of keeping yourself secure online is ending your web browsing session in a complete and orderly fashion.
The best way to securely end your browsing session on the Internet is to completely close all windows and tabs open in your web browser.
Web browsers store cookies – small data files – on your computer that contain information about your web session. In addition, most web applications temporarily store session information about you, your identity, and your use of the application. This is both expected and an entirely normal state of affairs on the Internet and you should consider these facts when ending your browsing session.
Logging Out of SSO
Logging out of SSO is good thing to do because it deletes your session information from the SSO application itself. Logging out also deletes the session caches from all of the SSO-registered applications you used during your session.
Applications registered with SSO include LeaveTraq, TimeTraq, iBenefits, TrainTraq, Time & Effort, and others.
As useful as logging out of SSO is, not all business applications used by employees of the A&M System are registered with SSO. In fact, most 3rd-party applications are not SSO-enabled. This includes Shibboleth-secured applications such as Buy A&M and Electronic I-9 as well as CAS-based applications such as PeopleAdmin.
Because these applications operate outside of SSO, logging out of SSO does nothing to end your sessions within these applications or to remove the applications’ cookies from your computer.
Similarly, if you log on to SSO using a federated Shibboleth identity provider such as TAMU’s CAS application, logging out of SSO does not log you out of the alternate identity provider.
In fact, it is effectively not possible for SSO to log you out of all of the external applications you might use in the course of your daily work at the A&M System.
This means that simply logging out of SSO leaves your CAS, Howdy, and Buy A&M session open and available until you log out of these applications.
What to Do
As stated above, the best way to securely end your browsing session on the Internet is to completely close your web browser.
Modern browsers allow you to open multiple windows and tabs in order to view several web sites at a time. This is a very useful and common thing to do. Unfortunately, because of the way browsers store their session cookies, securely ending your browsing session requires that you close all of your browser windows/tabs.
This is especially true in shared computing environments such as libraries, laboratories, and small offices in which workers share computers.
Because closing your browser tabs is a potentially time-consuming process, the temptation to skip this step and continue working is great. But doing so puts your session information at risk, both to malicious web sites that seek to harvest such information and to intruders who would like to compromise your computer itself.
In all circumstances, completely closing your browser windows/tabs after you have logged out of SSO is the correct, supported way to end your session.
A Broader Note
You should be aware that the concepts discussed in this article have implications for your use of the Internet outside of SSO and its related applications.
Applications such as Facebook, Twitter, Google+, and others operate in a very similar way to SSO and can leave you vulnerable to various attack vectors if you do not close your browser windows/tabs when you are done browsing. This is especially true of applications that you use to log in to multiple web sites (think “Sign in using Facebook”).
As with SSO, completely closing your browser windows/tabs is the best way to end your personal browsing sessions.