Emphasize that Cookies are not safe

[Felk]

If I understand the issue correctly, whole HTTP requests got leaked, including all headers. Those headers will also include Cookie.

I've seen people assume since they logged in into reddit for example via cookie for the past few months, they are safe. It's advisable to log out and log back in into websites using long-living cookies (just locally deleting cookies does not help obviously), and I suggest adding such a notice to the "Impact" and "What should I do" sections.

[noelleleigh]

@Felk noob here, why wouldn't deleting local cookies help?

[Felk]

@noahleigh because that doesn't invalidate the cookies. people with access to the cookies can still use them to authenticate. Instead of manually logging out, you can also delete your cookies locally, but then have to log back in into every site for them to stop accepting the old cookie. That has the same effect then, but just deleting your cookies locally doesn't help per se

[caleuanhopkins]

@noahleigh @Felk my understanding is that site owners need to replace their salts so the cookie encryption is new and old cookies are rejected. correct me if I'm wrong on this though

[OsirisWsjr]

All you have to do is restart your web server and change cookie prefix to expire any existing sessions if you're a little guy without the IT team to take care of it for you.

[caleuanhopkins]

@OsirisWsjr well you could, technically, but best to re-do salts. For example, if you're running Wordpress: https://www.wordfence.com/blog/2017/02/cloudflare-data-leak/ there's even an online salt generator here: https://api.wordpress.org/secret-key/1.1/salt/

[Felk]

Well Reddit hasn't logged me out yet, so I wouldn't trust the webmasters to take care of this

[pirate]

@Felk reddit is not affected, they were on Fastly during the affected period.

[pirate]

I don't think this is safe advice "It's advisable to log out and log back in into websites using long-living cookies", logging out doesn't invalidate all your active sessions, and you may have others that could have leaked. Closing this for now, if you want submit a PR to add to the "What should I do?" section of the README, I'd be happy to review it.