Cookies that keep working after logout

Some of our reporters notice that, especially in some of our less sensitive services and acquisitions, HTTP cookies that are manually extracted from the browser and then replayed to the server will continue to work for some time after logging out.

Most of our highest-impact services are designed to eliminate this possibility. Nevertheless, we believe that most situations that are cited as potential exploitation vectors for this behavior fall outside the security model of modern browsers and operating systems, and can't be meaningfully mitigated by any single website. We discuss this in more detail on the page that deals with the behavior of "back" buttons in our apps.

For pragmatic reasons, with the exception of a handful of high-risk services (e.g., Google Wallet, Gmail), reports of this type don't qualify for credit or reward.