Stupid Web site tricks

I'm fairly annoyed that Live Journal stores my username in the cookie. This means that anyone with access to your computer has a good chance of finding out not only that you have a Live Journal account, but what your account name is. This can cause problems for people who aren't aware that they can be found via shared computers (I've considered going to the library and seeing who's on Live Journal).

However, that's not nearly as bad as Friendster. They not only store your email address in your cookie, they also send your password in your cookie. In other words, if someone is capable of sniffing your network connection can get your password. If someone has physical access to your computer they can get your password. Of course, Friendster appears to be written using Java Server Pages, so what do you expect of Java Programmers ;)
  • Current Music: Hive | Ultrasonic Sound
Oh don't get all huffy! :P

Only people that are as smart ( as YOU would be able to do such things.

Hopefully after they roll out the real (aka, non-beta) version it will fix those problems. do you know that? I know it doesn't have the security key, but what else would let me know that. I'm such a novice pseudo-geek.
It's easy if you use Mozilla

Well, you asked how I knew so it's not my fault when you fall asleep reading this and get fired for sleeping on the job!

First, don't walk but run to your nearest Mozilla download site and get the Mozilla browser. Then, after that's installed and you discover that there is finally a browser that's both stable and better than Internet Explorer, you go install LiveHTTPHeaders. The latter is a small extension to Mozilla that lets you see the "background communication" that goes on when you surf the Web. Basically, when I request a Web page, I sent out a request that says "hey, gimme this page". You ordinarily don't get to see that request. When the response returns, if it's successful, you usually have two parts. The part that you see is the Web page, technically known as the entity-body (or just "body") or the response. However, before that part is a section called teh "headers", which we typically don't see. These headers look sort of like the following:

HTTP/1.x 302 Moved Temporarily
Content-Length: 0
Connection: close
Date: Fri, 18 Jul 2003 21:41:58 GMT
Server: Apache Tomcat/4.1 (HTTP/1.1 Connector)
Set-Cookie: ServerID=1117;;Path=/
friendster_email=;Expires=Thu, 01-Jan-1970 00:00:10 GMT;Path=/;;Expires=Tue, 11-Nov-2003 15:28:38 GMT;Path=/
friendster_password=;;Expires=Thu, 01-Jan-1970 00:00:10 GMT;Path=/

One thing you might notice if you look closely is that the password field is blank (it just has a '=;'). This means they are no longer sending the password and this is brand new. I mentioned this problem on another Web log and another person replied that he had asked some people he knew at Friendster about this. When the site came back up, the password was no longer being set. I don't know if my post is responsible for that, but I do find it to be very curious timing :)

If you're curious to see those headers for yourself and you've installed the LiveHTTPHeaders in Mozilla, you just go to "Tools -> Web Development -> Live HTTP Headers" and it will display the headers for you while you're surfing the Web. Unless you do Web development, though, it's pretty boring stuff. However, I strongly urge everyone to go to "Tools -> Cookie Manager -> Manage Stored Cookies" and start look at the value associated with all of their stored cookies to see which sites store your personal information. It gets quite scary what some sites save.

Re: It's easy if you use Mozilla
Yeah, I was kinda expecting something like that, but you did ask :)

Nice glaze, by the way.