Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As far as I can tell "by logging out before delivering the data, he can render any session cookies invalid" means that if you use this mechanism and forget to sign out partway through the process you're potentially handing over session cookies. This seems like a really unsafe design.



I think you hand them over regardless, the logout is to render them invalid.

I wonder how many sites neglect that part.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: