How Amazon lives without a log out

You might have noticed that Amazon does not have a “log out” button. We seem to be automatically logged in when we come back to Amazon even after 4 months. Last night I decided to study how Amazon ensures security even without a log out button.

It turns out to be quite clever, really.

To start with, Amazon partitions its content into 4 sensitivity levels:

1. Buying
2. Order History/Account
3. Personalized
4. Public

The Buying section, the most sensitive section of the site, is where you check out the items in your shopping cart, give your credit card, shipping address etc. Every time you enter this section of the site, you will be asked for your username and password and this is transacted over SSL.

The Order History/Account section keeps track of all past orders and your personal details (email id, phone number etc.). It insists for your password after seeing a 10-minute period of inactivity.

The Personalized section shows the welcome banner, and the book recommendations for you. So long as Amazon can identify you from the last login, they serve you personalized content. It does not ask for your password again. And this creates the illusion of being logged in!

The Public section is where you read the book reviews and is the least sensitive section. It does not require any login, of course.

Ok, with that out of the way, let’s see how Amazon does all this jugglery. I used Paros to capture my sessions with Amazon. Paros also lets me edit the traffic, a capability I need to understand the significance of each variable. I created three test accounts to see how the values change for different users.

It turns out that two variables play a major role in managing sessions at Amazon: session-id, and x-main.

The session-id - a 17-digit random number- is a persistent cookie that expires after 7 days. It is set the first time you reach Amazon. Its value does not change after you log in, nor when you switch users. The only time you get a new session-id is when your current token has expired, or when you submit an invalid one, by tampering with the session-id field. Unlike typical session tokens, Amazon’s session token is a persistent cookie and does not die when the browser is closed.

The x-main cookie is a 32-character alphanumeric string which expires only in 2036. It is set when a user logs in. Since it has a very long lifetime, the only time it changes is when a different user logs in. x-main is tied to the identity of the user and is not random.

Amazon uses the x-main cookie to serve personalized content even after the user has been away for several months. A valid x-main value helps Amazon recognize the visitor and welcome him back with personalized pages. The session-id cookie, in contrast, helps maintain a “session” that spans multiple days and beyond reboots. The session information includes the identity of the user, recently visited links and the duration of inactivity.

So, how does Amazon ensure security without using a logout button? By partitioning the content into different sensitivity levels, and tracking the x-main and session-id cookies, Amazon ensures that only the authenticated user can access personal details, even as it serves personalized content to a returning user.

It just appears you are automatically logged in even after 4 months of inactivity, but your personal details are safe.

Today is an important day for us at Paladion - it’s our 5th birthday. We celebrated five years of fun and hard work with a trek to the Western Ghats :)

Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.