Friendster, as some of you might know, is a beta version of an Internet service to allow people to create networks of friends. Someone invited me to join and while I was at first reluctant, I decided to check it out. The first thing I noticed was that it appears to be built using Java Server Pages. Naturally, my biases kick in and I was rather suspicious. Good thing that I was, too.
Aside from the fact that the service is terribly flaky (but it's a beta and they're overwhelmed, I can hardly fault them for that), it's instructive to examine the headers that they return. Specifically, taking a look at the cookie. Despite the fact that it returns a session id, it also returns my email and password in plain text.
When can't people get this right? Why isn't it blindingly obvious to people who do Web development why this is a bad idea? To compound matters, the allow me to remember my login. While I haven't tried this options, I assume this means that the expiration for the cookie will be set for some time in the future, thus ensuring that my password will be saved to disk. Better hope I'm not using a shared computer! Of coures, even if I don't accept this option, this data could still be written to the swap file.
And how do the ensure that their session cookies expire? They set the expiration for a year in the past. Hey, I haven't tried doing that before (for obvious reasons). I wonder if that will also save my cookies to disk. I suspect this behavior might be browser dependant.
In any event, if their cookie mismanagement is any indication of the rest of their code quality, I don't expect them to solve their stability issues any time soon.