I got this message when I tried to log off from a site:
You are Successfully logged Out of blah blah.
It is recommended that you close your browser when finished
to avoid unauthorized reentry.
Whey do they want us to restart the browser?
I know it has got to do with session/cookie.
What potential threat will not restarting cause?
Is there a way to avoid this restart and still be safe?
Thanks
I don't think restarting the browser will make any change to cookies. We can customize browsers to clear all private data when the browser starts. So by restarting in these cases can be useful. Otherwise there won't be any advantage of doing this.
The only thing that restarting the browser would do is that it would delete session cookies. I don't see any reason why the site couldn't delete it's own cookies, so it shouldn't be a problem.
Theoretically, if you don't close your browser, someone can sit down at your machine and click the back button to see information associated with whatever you were doing - that could be bank accounts, credit card info, personal information - whatever. Unless the site screwed up horribly in their disabling of your session, they can't actually look at anything you didn't look at in that session, or actually change anything, but just being able to see the information might be all they need.
The reason this happens is that browsers tend to cache pages - if you click the back button, it will often load the page from its cache, rather than download it all again.
Of course, it's entirely possible that your browser decided not to cache these particular pages - I seem to recall that at least IE will never cache HTTPS traffic, although I could be wrong - but by showing the message at logout time, then you can't really say you haven't been warned.
Not all browsers actually remove deleted cookies until they are shut down.
Another possibility (aside from cookies) is that they are using Basic Authentication or Digest Authentication. With these mechanisms, there is no portable way to tell the web browser to clear the site's authentication details.