Session Sync Security

End-to-end encrypted cookie sync, OPAQUE authentication, and an auditable client designed to keep plaintext session data out of the backend.

End-to-End Encryption

All cookie data is encrypted on your device before being uploaded. We never have access to your decryption keys, ensuring only you can read your data.

OPAQUE & VOPRF Auth

Our authentication system uses OPAQUE (password-authenticated key exchange) and VOPRF (Verifiable Oblivious Pseudorandom Functions) for zero-knowledge login.

Zero-Knowledge Design

We cannot see your cookie values, domains, or session data. Our servers only store encrypted blobs that are meaningless without your keys.

Local Key Management

Decryption keys never leave your device. They're stored securely in the browser's encrypted storage and used only locally.

Secure Infrastructure

Built on Cloudflare Workers and Durable Objects for edge computing and enhanced security isolation.

Auditable Client

The browser extension client is open source and reviewable, so users can inspect local encryption, key handling, and sync behavior directly.

Encryption & Security Architecture

StayLogged implements a multi-layered security architecture designed to protect your cookie data at rest and in transit.

1. Client-Side Encryption

Before any cookie data leaves your browser, it's encrypted using AES-GCM with a unique key derived from your master password. This ensures that even if our servers were compromised, your data would remain unreadable.

2. OPAQUE Authentication

We use OPAQUE (Oblivious Password-Authenticated Key Exchange) for secure login. Unlike traditional password authentication, OPAQUE ensures that even if an attacker intercepts the authentication process, they cannot learn your password or derive the encryption key.

3. VOPRF for Key Derivation

Verifiable Oblivious Pseudorandom Functions (VOPRFs) are used to derive encryption keys without exposing them to the server. This provides forward secrecy and prevents server-side key exposure.

4. Session Transport Security

All sync traffic uses WebSocket with capability-based authentication. Short-lived capabilities are issued per session and per cloud store, ensuring granular access control.

5. Local Key Management

Encryption keys are stored in the browser's secure storage (chrome.storage.local with encryption) and never transmitted to our servers. Keys are derived using PBKDF2 with salted hashing.

6. Audit Trail

All operations are logged locally for audit purposes. You can review which cookies were synced, when, and to which browsers. This transparency ensures accountability.

Client Auditability

The browser extension client is open source so users and researchers can verify the code paths that handle local encryption, key recovery, and cookie sync. The hosted service remains closed, but it is not supposed to hold the decryption keys for cookie payloads.

Privacy Policy Highlights

No Personal Data Collection

We don't collect your browsing history, personal information, or any data beyond what's necessary for cookie synchronization. Only encrypted cookie values are stored.

No Third-Party Sharing

Your data never leaves our secure servers. We don't share information with advertisers, analytics companies, or any third parties.

Local Control

You maintain complete control over your data. You can delete all synced cookies at any time, or disable sync entirely. All encryption keys stay on your devices.

Transparency Reports

The most important transparency surface is the client itself. Users can inspect the open extension code and compare its behavior with the privacy and security claims made on this site.

Security Standards & Compliance

Auditable Client

Open source extension code

Encryption

AES-GCM & OPAQUE

Zero Knowledge

Server cannot decrypt

Auditable

Public code review

Continue with a secure setup

Review the product details here, then continue through the central download page.

View Download Options

Security Cluster Paths

Use the security page as the risk model hub, then branch into architecture, operational setup, and editorial explainers that reinforce the same trust boundaries.

Architecture

Cross-Browser Session Sync

See where encryption, transport, and sequencing fit into the actual sync path.

Reference

Technical Overview

Read the more technical summary of account flows, sync transport, and cloud-store behavior.

Blog

Security of Cross-Browser Sync

Use the shorter article when you want the security argument without reading the full product page.

Operations

Session Sync Guides

Move from theory into setup choices like browser scope, domain scope, and recovery workflow.

Features →Sync details →Guides & Tutorials →