This is speculative, but I believe the issues with the website either sporadically logging people out or not seeming to know whether they're logged in or not - such as saying you're logged out but then showing you games on the homepage that you have wishlisted - are due to a multitude of inconsistencies providing some parts of the website over http and some over https. While https was added not long ago presumably on everything, they never changed the site to redirect all http queries to https, and many links in the website code still point to http:// even when the page you're viewing is https://.

This kind of mixed-mode operation is notorious for causing obscure wonky website behaviour where modern browsers wont trust cookies over http on an https site or other behaviours, all of which can be further complicated by whether people are using security addons such as NoScript or others.

I think some things GOG could do to make their entire website-property-emporium extremely simpler and more robust are:

- to completey ditch raw http access to the entire *.gog.com domain, and have the webserver automatically redirect all queries to http to https.

- to ensure all cookies are transferred over https at all times

- to review all html/css/js/php/whatever for all references to http or https on *.gog.com and replace them with the protocol neutral variant of simply: "//forum/general/whatever" so that the web browser substitutes the proper protocol depending on how it's accessing the website.

And once they've fleshed all of that out and stabilized it to the point they fully trust their https deployment they should further go ahead and:

- Enable HSTS in their webserver configs in order to enforce HTTPS across the entire domain.

- Update the webserver SSL/TLS configuration to best current practices for security and backward compatibility as documented by Mozilla and other industry players recommendations: <span class="bold">https://wiki.mozilla.org/Security/Server_Side_TLS</span>

- Thoroughly test their TLS deployment with tools like Qualys SSL Pulse:

GOG's current SSL/TLS security rating from SSL Pulse is a mix of grade A on the main servers and B on Akamai CDN:
https://www.ssllabs.com/ssltest/analyze.html?d=gog.com&amp;hideResults=on&amp;latest
https://www.ssllabs.com/ssltest/analyze.html?d=www.gog.com&amp;s=193.59.178.42&amp;hideResults=on
https://www.ssllabs.com/ssltest/analyze.html?d=www.gog.com&amp;s=23.192.247.45&amp;hideResults=on

The latter of which has missing intermediate certificates in the certificate chain, poor signature algorithm (SHA1, which will soon be ostracized by all web browsers), insecure RSA cipher support and broken forward secrecy support. Inconsistent with the rest of the GOG servers and probably should be brought up to current standards and that bad certificate replaced and the CA's intermediates put on the webserver.

If it isn't already, SSL Pulse testing should be integrated into GOG's webserver QA procedures to ensure correct operaton and best practices going forward.