Can someone with admin rights access my browser login sessions? If I log into Gmail, it will stay logged in even after logging out of Windows and logging back in again. How easy would it be to, for example, log in to my Gmail account and reset passwords to login to my other accounts?
Yes. The login session IDs (cookies) are just stored on disk. If you haven't explicitly logged out from Gmail, then someone else could either copy the entire cookie database... or just re-open the browser.
Is it safer to log out of my Gmail account every time, or doesn't it make any difference?
In well-designed webapps, the "logout" link actually marks the session ID as no longer valid on the server, so it cannot be used even if you no longer have it.
(Not all webapps are well-designed. Some of them are still so lazy that they don't even have session IDs but just store the actual password as a cookie. Fortunately those are very much in the minority.)
Even if they can't get login sessions or data, would they be able to identify online usernames and identities?
For mail services, they can open the web browser's history log and see that you've opened a page titled "Gmail - Inbox - foo@example.com" or something such.
In many cases they can also extract a lot of information from cached web pages; e.g. most sites show you your own username and/or have a link to your profile page.
If I connect to a website using https, the contents should be viewable to the website operator and me only
Encryption stops at the computer. HTTPS protection is only for transport, but it stops at the browser – the received HTML data in memory is no longer encrypted; the video signal going to the monitor is (usually) not encrypted; and of course the light coming out of the display is not encrypted.
So in the simplest case, a browser extension could easily access the contents of HTTPS-encrypted pages. Accessibility tools (e.g. screen-readers) can access all text shown on screen.
HTTPS itself can be bypassed when you control the client – just configure it to accept your fake certificates (instead of requiring a publicly-trusted issuer) and you can begin intercepting connections. This is actually a common approach taken by strict corporate networks, as well as by antivirus programs and other malware.
Do websites store unencrypted information in the browser cache?
Often, yes. (The website doesn't store things in cache – the browser itself does.) Usually regular pages and assets (images, scripts) are cached unless the server specifically opts out by sending a header.
On the other hand, interactive webapps heavily use JavaScript-based requests which are not cacheable (or at least set to bypass cache). Caching them would be useless anyway.
Does the browser do anything to ensure the privacy of website contents, or is it trivial for a user with admin/disk access to simply view the contents after the fact? Could these contents accidentally end up in a tape archive and still be easily viewable?
Generally, browsers try to at least obfuscate the remembered passwords, but don't do anything for all remaining data, i.e. bookmarks or cached pages are stored directly on disk.
There's the general assumption that you cannot win against a malicious sysadmin; the only winning move is not to play. And in most cases, anyway, either the browser is being used by the system's owner or by its primary user.
(The browser usually can't protect stored data without help from the OS anyway. For example, it could encrypt data... but where would it store the encryption key? And if it asked you for the key every time, how would it prove that it's the real browser and not a fake password prompt crafted by the sysadmin?)
That said, if you activate "Incognito mode" or similar, the browser tries to avoid storing anything on disk – it will use a memory cache only; it will not remember cookies or login sessions; it will not keep history on disk. This helps against the simplest attacks that you mention, although it still does absolutely nothing against keyloggers or screen-capture tools.
Assuming I have admin access too, what steps or measure can I take to make sure that none of the other admins are doing something untoward? Will disk encryption help?
Technical means won't solve the problem you are having with your co-admins.
(However, at least as a very basic measure, just don't share the OS-level user accounts. Yes, they're easily bypassable with admin access, but so are most door locks and yet most people still respect them.)
Similarly, should I avoid using my user folder in the network storage? I suppose this is similar to the previous questions, which the added vulnerability that the data is more likely to permanently backed up somewhere. Or am I missing something?
Your user folder in the network storage is literally just a folder in network storage.
Whoever manages the actual storage server is always technically capable of viewing it (although they might be subject to audit logs). Really they might be required to have access, in order to make regular backups or even to be able to comply with legal requests.
2By "someone other than yourself" do you mean the actual system owner, or do you mean various other users? What's illegal (or difficult/impossible) for e.g. library visitors is not necessarily illegal (or impossible) for the library sysadmin. – user1686 – 2019-11-12T15:44:56.960
2[security.se] would be a better place for this. With that said, you should read more about HTTPS protocol for your first and second questions. – CaldeiraG – 2019-11-12T15:58:45.873
https://www.cloudflare.com/learning/ssl/what-is-https/ – CaldeiraG – 2019-11-12T16:04:36.763
@grawity Assume a worst-case scenario, so the system owner with an admin account. At work we have a machine for which I and various colleagues have admin accounts. Library users wouldn't have admin accounts. Even the cleaning lady could modify hardware, so that's why I'm excluding stuff that involves bypassing the default security features of an OS. – W4uoe9A – 2019-11-12T16:10:07.770
@CaldeiraG As I said, I understand most of the basics, and assumed that an admin will be able to read the disk contents. I just didn't want to leave any stone unturned. In particular, I don't really know about the browser internals, and there could be something I was missing. – W4uoe9A – 2019-11-12T17:00:08.267
"Can someone with admin rights access my browser login sessions?" - As an Administrator I could without any effort, copy your browser profile, and use it as my own. This would allow me to access any sessions that were still valid. "If I connect to a website using https, the contents should not be viewable to the network admin." - As an Administrator I could make force the use of a certificate, in order to visit a website through HTTPS, the browser might complain depending on the certificate and the browser. There are security packages that install self-signed certs to scan HTTPS traffic. – Ramhound – 2019-11-12T22:49:08.153