Browser cookies are pretty straight-forward: don't store any potentially sensitive information in them. Just don't do it. Anyone who's been working with the Web for any length of time should know this. Microsoft should know this. Apparently, they don't.
Like most people, I have more than one email account. One of them is a Hotmail account. I rarely give this email out and, as a pleasant result, I get no spam at it. However, I always check the "Do not remember my email address" checkbox. In theory, this means that the cookie that the MS authention system, Passport, sets would be a session cookie that goes away when I close my browser. However, I was at a friend's house yesterday, fired up his browser only to see the email address field prepopulated with my email address. I hadn't checked that email there for a couple of weeks, but I've seen this sort of behavior repeatedly with Hotmail so I know that this is not unusual. That "do not remember" box is a chancy beast, at best.
Today, while reviewing my browser cookies, I spotted the following:
Server Secure: no
Expires: Wednesday, December 30, 2037 8:00:06 AM
Policy: stores identifiable information if user opts in
Mind you, that's one of eight different cookies that they set. Eight cookies? Not only is that impolite to do since it knocks off cookies that you might want to keep, it's also suggestive that they don't have tight control over how they are managing their information.
Aargh! Hair-pulling time! How many darned problems can we see here? We have an effectively permanent cookie, which is a no-no, particularly since I request that my information not be stored. Further, we now have a privacy leak. Why are they storing my email address in a cookie that will be written to disk?
Case in point: I know of a young lady who kept an online journal. Her parents found it and started reading it and were horrified to find out that she was suffering from -- brace yourself -- teen angst! Her parents don't understand her, not enough boys like her, she's not very popular, etc., etc. In reading through the journal, there are no references to doing drugs, sex, or anything else that one might expect a parent to worry about, but this young lady's parents hit the roof. They forbid her to keep an online journal and they grounded her (naturally, I'm sure this cured the angst problem).
Since she never told anyone about this journal (I only found out after the fact because she's friends with my best friend's daughters), how did the parents find out? I don't know, but if they knew anything about computers, they could have checked the cookies that the online journal site set. I checked and discovered that they store the username in the cookie. Given that this can be very sensitive information, this is a terrible violation of privacy. (Yeah, I know, writing private thoughts online is stupid, but this was a kid who didn't know better).
If you write cookie code, please do not store identifying information in a cookie. It's a violation of people's expectation of privacy and could have very bad consequences. I suppose I shouldn't expect Microsoft to be able to handle them properly, but we're Perl programmers. Go forth and do good!