Author Options:

Login-Credentials BUG: Cookie Mishandling leads to possible website-vulnerability Answered

I posted, Reposted and Re-linked over and over again. Nothing happened, not even a notification "we are on it" from the team.

THIS IS A SECURITY ISSUE! People on a no longer logged in PC can see things they arent supposed to!

I had this problem in the past sporadically but never saw a pattern till recently:

I come to instructables.com, i am already logged in and click on "feed" at the top. After a while an error pops up telling me a Rerouting-error happened. (Umleitungsfehler in German). I noticed, this always happens after the following action-pattern:

- I visit instructables.com and log in on computer A and i DONT log out there but only close the browse.

- I visit instructables.com on computer B. I am seemingly already signed in from the last visit here on Computer B at instructables.com.

- If i now click feed (On Computer B), the error happens.

- If i logout and log back in on Computer B, the error is gone on this computer B, even over Firefox-restarts

As far as i undestand, as soon as i log in on computer A, a new login-cookie is created on Computer A and the cookie on Computer B will no longer be valid next time. Now, if i come to instructables with computer B, the cookie somehow still is interpreted valid and logs me in (I appear to be logged in with my avatar visible at the top right). However, if i want to go to my feed, it seems Instructables checks again the cookie and figures out that i have a no longer valid login-cookie on this Computer B due to my login on Computer A and refuses to redirect me to my feed.

This gets sorted with Re-Log on Computer B, creating a NEW login-cookie on Computer B and all is well again on Computer B. Now i can play the same game on Computer A with re-log. :)

I hope, this error-report helps you guys in pinpointing and fixing an issue with a Login-bug as it seems

And Why to hell do i have to define in which channel this belongs and you dont have a channel "website of Instructables"?!? I hope this is not lost in "Circuits" - "Computer" which was the closest i could find to a website-problem... Geez...


The forums are retiring in 2021 and are now closed for new topics and comments.

1 year ago

Thanks for bringing this to our attention. We're investigating and will get to the bottom of this.


1 year ago

We released a fix that should now redirect you to the login page when your cookie expires. Please post up again if the issue persists, we'll be monitoring the forums for your report. Thanks for your patience!

Jack A Lopez
Jack A Lopez

1 year ago

Maybe there should be a Bugs channel? So there would be a channel just for discussions about bugs.

This channel could also include 'ibles about finding bugs. And 'ibles about reporting bugs. And 'ibles about how to work around the bugs that will never be fixed!

Bugs. Bugs. Bugs. Bugs. Bugs. Bugs. Bugs. Bugs!


The attached image of a swarm of menacing cybugs was stolen from the Wreck-It-Ralph Wiki.