Judging by rotorde's message, interesting that there can be even true security issues by leaving oneself logged in.

Anyway, I log out simply because I am not necessarily the only user of the device/browser, and I don't necessarily make separate accounts on the various Android, Windows and Linux devices I use for every user that might use it. Older Android versions don't even support several accounts.

For instance, I quite often might go to some web site with my wife's phone because it has a bigger screen and an unlimited data plan, unlike my shitty old Android phone and work SIM. Sometimes my wife might want to go online with one of the PCs (if it is too hard with the phone) and use the same browser as me.

So, yeah, I don't want her or anyone else to semi-accidentally log in to e.g. gog.com as me, and find out how many games I've bought over the years and demand to know how much money I've used on them. I like to delete also the history from the browser for the same reason.

I still remember how I accidentally logged in to my friend's email account because he had not logged out from it, using my PC and browser. Ok, so I logged out for him, after sending some pictures to his boss... Just kidding. Or am I? Of course I am. NOT?

Another practical reason I log out is that then I remember the passwords to various sites/services better if I need to enter them every time. When I earlier used autologin, then I may have forgotten the username/email address and password when try to log in from another PC. This has happened at least with VoipDiscount and Steam.

Only if you are using unprotected *free* Wi-Fi (or phone which isn't secure at all) and willing to give away your data to potential hacker.

There are a few issues here that I think you need to understand.

Firstly, what does staying logged on mean? Most people just see this magic effect and don't consider it, but it means that some information about logging into a website is stored on your computer. Almost universally this is done using cookies (there are other options for flash and silverlight). Assuming cookies, this cookie usually stores an ID that corresponds to a successful login attempt, and the login on the server has stored the same ID, thus allowing it to verify that you are still the same person (as only you can "in theory" know that ID). Poorer implementations may actually store your credentials used to log on, but this is rare, and really bad practice.

So, in theory, you're fine staying logged in because cookies can only be read by the domain that issued them, and therefore GOG will be the only ones that can read the ID. However as rotorde pointed out, by embedding sites into iFrames, and driving vulnerabilities in those sites, they can in effect make you do things on the site as though you were doing it yourself. For example, if posting a message involves hitting the URL "http://www.gog.com/PostMyMessage?Message=NastyStuff", then that url could be in an iFrame as you load it, and that then is run when you access a nasty site, and because it's you hitting the url, and it's GOG verifying it, the cookie is valid, and the post is made.

There's also the concept of Sidejacking. This is where you log onto something like a bank, and that gives you a "session cookie", that basically runs for about 20 minutes, and keeps you logged in until then (every time you hit the website it renews it, so it's a rolling expiry). However if via a browser vuln or just interception of traffic that is not https then an attacker can get this session, and then start using your session as their own. This is why it's a good idea to click the signout button on your internet banking, even though it doesn't keep you signed in, as that 20 minute session is still hanging around.

There's more, but really, if you're worried about your account being compromised, sign out every time, and sign in every time.

Personally I'm not too bothered about the hit of someone taking my GOG account, I'll get it back and there's not much they can do with it.

No. if you stay log in you only log in on your computer... if you use a public computer it can be a problem... but if you use a private computer it's not a problem at all (nobody access your computer so it's reasonably safe).

Thanks for the confirmation and of course I only use GOG on my own computers.

I never visit this site in some college computer.

deleted

He should probably prepare for... unforseen... consequences...

*lip smack*