I'd be interested to see how many competing social networks exhibit the same behavior. Specifically, Twitter and Google+ has similar social buttons.
Imagine I wanted to do this but not be get caught. What would you improve? Clearly the cookies will need to look different pre and post logout, but how different?
Hell, HackerNews leaves a cookie on your computer after you log out with some opaque blob holding who-knows-what. Users like to complain about cookies when you bring them up, but generally can't seem to bother. Including the two of us.
As stated in the article, so when you login again from the same computer, they don't have to do the whole two factor "I've never seen this computer before" text message handshake with you.
I already pointed out that HN leaves a cookie behind in another comment, so here's a different tack: is there a site on the first page of http://www.alexa.com/topsites that actually leaves no cookies behind when you logout?
A major faux pas like leaving your uid in the clear in the cookie after logout certainly seems to bother us, but I don't think users (even savvy users) care about leaving some cookies behind. For the record, I've installed various opt-out browser extensions in the past (only to switch computers/browsers and forget to bring them along)--I don't think my views are pro-cookie or even moderate.
> I don't think users (even savvy users) care about leaving some cookies behind.
In most contexts, that is true. A Slashdot cookie is just a line in a text file until you visit Slashdot. But a Facebook cookie is sent home every time you visit a page with any FB spam on it.
The mysql.com malware is trivial. Hitting Facebook would get most everyone, users and not.
Imagine I wanted to do this but not be get caught. What would you improve? Clearly the cookies will need to look different pre and post logout, but how different?