Why do some websites keep logging me out?

Specifically, Amazon and eBay. Not all the time, just once in a while. I have them both marked as “Keep me logged in” or whatever it is. It seems to me that this has only been happening since I moved from Windows 8.1 to Windows 10 on a new PC about 3 months ago.

If I open either of the sites, they always know who I am (cookies, I suppose) but sometimes if I go to look at something like past orders, it asks me to log in. And there seems to be a higher frequency of needing to log in when I try to do something from outside the site, like tracking a package from email. Again, I don’t remember this happening, or perhaps it did but much more rarely, before.

And as you can imagine, “why” is only part of the question, the other part is: can I do anything about it?

“why” - for security. for certain activities they want to be sure that you didn’t walk away and now someone else is in your account.

Yeah, that^. Sounds like a pretty standard security measure to me.

Other, less likely possibility: your (their) cookie may have been corrupted somehow. It happens. Clear your cookies and cache and try it again. This should always be one of your first moves if experiencing an issue with any given website.

That (standard security) would make sense if it happened every time I tried to do one of these activities, but it doesn’t. Only sometimes.

Do you clean up “private data” like cookies in your browser on a recurring basis? Most website “logged in” status is implemented as a cookie containing a session token. If you delete that, you’re logging out.

Could also be keyed off the age of the cookie. If you faced a password challenge 5 minutes ago from this computer that may be sufficient proof of your identity to view more sensitive information. If the password challenge was a month ago, it may not be.

Having a “logged in” state with 100% access to all user information, and a “logged out” state with 0% access probably not the access model being used here. A website can decide that it knows your identity well enough to customize the landing page with “Hello ” but not well enough to give out your past orders.

That may be one of the lines of evidence used to confirm identity, since some of that information gets sent with each request (see What is my user agent? - WhatIsMyBrowser.com ). If a website has figured out that you typically send a certain user-agent, and you start sending another it may take some time to figure out what the “new normal” is.

There’s very likely some complicated and regularly updated logic on Amazon’s end that gives activities a “fraud danger” score that’s dependent on all kinds of state that you’re not that aware of, and when it goes over some threshold, you have to log in again.

Yeah, that’s probably it. Just because I never have a security problem doesn’t mean they don’t.