The technique exploits the redirection mechanism of most login pages. Consider the url "foo.com/login?redirect_after_login=%2Fimages%2Fspinner.gif". If you put that url as the src of an img tag, and the user is logged in, some sites will 302 you to the image. If you are not logged in, the src will be the login page, and you can detect the difference with javascript.
Quote from the site:
What happens if you visit the login page with a ‘redirect on login’ parameter and you are already logged in? When implemented in a naive fashion you are simply immediately redirected to the page specified in the parameter. Some sites limit that parameter to being another page on the same domain, but we’ll see that doesn’t help for this trick.
This mechanism is open to abuse in exactly the way I needed; I could set the ‘redirect on login’ page to be an image file on the same domain. For example:
<img src="https://twitter.com/login?redirect_after_login=%2Fimages%2Fs... />
In this example, if I am logged in Twitter is kind enough to 302 redirect me to the image file I specified, but if I am not logged in I am show the login page. It turns out that both Twitter and Google’s login mechanisms are susceptible to exactly this trick. It seems LinkedIn and Tumblr are currently immune to this, though I didn’t dig too deep so there might be another redirect URL for them.
It doesn't seem to detect logins if third-party cookies are blocked. I had all third-party cookies blocked, and it didn't detect me logged into any of the sites. Disabled blocking, and it detected me logged into Google and G+.
Quote from the site:
What happens if you visit the login page with a ‘redirect on login’ parameter and you are already logged in? When implemented in a naive fashion you are simply immediately redirected to the page specified in the parameter. Some sites limit that parameter to being another page on the same domain, but we’ll see that doesn’t help for this trick.
This mechanism is open to abuse in exactly the way I needed; I could set the ‘redirect on login’ page to be an image file on the same domain. For example:
<img src="https://twitter.com/login?redirect_after_login=%2Fimages%2Fs... /> In this example, if I am logged in Twitter is kind enough to 302 redirect me to the image file I specified, but if I am not logged in I am show the login page. It turns out that both Twitter and Google’s login mechanisms are susceptible to exactly this trick. It seems LinkedIn and Tumblr are currently immune to this, though I didn’t dig too deep so there might be another redirect URL for them.