Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Ovid (2709)

Ovid
  (email not shown publicly)
http://publius-ovidius.livejournal.com/
AOL IM: ovidperl (Add Buddy, Send Message)

Stuff with the Perl Foundation. A couple of patches in the Perl core. A few CPAN modules. That about sums it up.

Journal of Ovid (2709)

Tuesday July 15, 2003
05:11 PM

Never, never, never trust Microsoft

[ #13471 ]

Browser cookies are pretty straight-forward: don't store any potentially sensitive information in them. Just don't do it. Anyone who's been working with the Web for any length of time should know this. Microsoft should know this. Apparently, they don't.

Like most people, I have more than one email account. One of them is a Hotmail account. I rarely give this email out and, as a pleasant result, I get no spam at it. However, I always check the "Do not remember my email address" checkbox. In theory, this means that the cookie that the MS authention system, Passport, sets would be a session cookie that goes away when I close my browser. However, I was at a friend's house yesterday, fired up his browser only to see the email address field prepopulated with my email address. I hadn't checked that email there for a couple of weeks, but I've seen this sort of behavior repeatedly with Hotmail so I know that this is not unusual. That "do not remember" box is a chancy beast, at best.

Today, while reviewing my browser cookies, I spotted the following:

Name: MSPPre
Content: ********@hotmail.com
Domain: .passport.com
Path: /
Server Secure: no
Expires: Wednesday, December 30, 2037 8:00:06 AM
Policy: stores identifiable information if user opts in

Mind you, that's one of eight different cookies that they set. Eight cookies? Not only is that impolite to do since it knocks off cookies that you might want to keep, it's also suggestive that they don't have tight control over how they are managing their information.

Aargh! Hair-pulling time! How many darned problems can we see here? We have an effectively permanent cookie, which is a no-no, particularly since I request that my information not be stored. Further, we now have a privacy leak. Why are they storing my email address in a cookie that will be written to disk?

Case in point: I know of a young lady who kept an online journal. Her parents found it and started reading it and were horrified to find out that she was suffering from -- brace yourself -- teen angst! Her parents don't understand her, not enough boys like her, she's not very popular, etc., etc. In reading through the journal, there are no references to doing drugs, sex, or anything else that one might expect a parent to worry about, but this young lady's parents hit the roof. They forbid her to keep an online journal and they grounded her (naturally, I'm sure this cured the angst problem).

Since she never told anyone about this journal (I only found out after the fact because she's friends with my best friend's daughters), how did the parents find out? I don't know, but if they knew anything about computers, they could have checked the cookies that the online journal site set. I checked and discovered that they store the username in the cookie. Given that this can be very sensitive information, this is a terrible violation of privacy. (Yeah, I know, writing private thoughts online is stupid, but this was a kid who didn't know better).

If you write cookie code, please do not store identifying information in a cookie. It's a violation of people's expectation of privacy and could have very bad consequences. I suppose I shouldn't expect Microsoft to be able to handle them properly, but we're Perl programmers. Go forth and do good!

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Case in point: I know of a young lady who kept an online journal. Her parents found it and started reading it and were horrified to find out that she was suffering from -- brace yourself -- teen angst! Her parents don't understand her, not enough boys like her, she's not very popular, etc., etc. In reading through the journal, there are no references to doing drugs, sex, or anything else that one might expect a parent to worry about, but this young lady's parents hit the roof. They forbid her to keep an on

    --

    ------------------------------
    You are what you think.
    • They're upset because they are a couple of yuppies who can't understand why their daughter doesn't appreciate their world. They're comfortable with shorts and Polo shirts and she's wearing black clothes, black eyeliner, black hair dye, etc. In short, she's sort of a Goth and she has Ward and June for parents. Neither really understands the other.