• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

closing browser leaves user logged on

 
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am using access thru public PC, in library, and observe that in all (a dozen of PCs) when I open a browser and connect to Javaranch.com I already am logged on and have Hello "G Vanin".
I do not have always time to explicitly log out because when my time is out I do not know eactly how much more time I may still use PC.
When I am asked to leave and I am already overused my time I cannot log out from all my sessions and just close browsers. I always thought that it is server-side business to treat all the rest.
It is certain inconvenience. You think everybody OK but really your logons are exposed to everybody.
 
"The Hood"
Posts: 8521
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your logon is saved in a cookie on the machine that you are running on. If it did not do this, every time that you clicked a link in javaranch and it opened another browser window that required knowing your logon ID, you would have to logon AGAIN. That would be REALLY irritating.
You just need to Log off.

Now we could talk about time management if you like
(Cindy ducks behing the door . . )
 
Guennadiy VANIN
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, Cindy,
what is the way to ensure that coockies are removed and nobody will use my logon?
except deleting all coockies...of course
 
Sheriff
Posts: 9109
12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you logout, The cookie will be set to "logged out" and nobody will be able to log in as you unless they know your password.
 
Cindy Glass
"The Hood"
Posts: 8521
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't think that it would be fair to set the browser to not accept cookies on a machine that is used by lots of people. That would really interfere with the functionality of lot's of other stuff that other users might need.
You need to logout.
 
Guennadiy VANIN
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks everybody, Marilyn and Cindy,
You are my angels
[ October 26, 2002: Message edited by: G Vanin ]
 
Guennadiy VANIN
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Marylin,
if it is cookies that maintain me logged on, then this does mean that I should log out from all of (a few dozens) PCs I used in library. Is it correct?
Just to be sure
 
mister krabs
Posts: 13974
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, that is correct. Anyone who uses those PCs to go to JavaRanch will automatically be logged on as you.
 
Guennadiy VANIN
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Paul
 
Thomas Paul
mister krabs
Posts: 13974
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your welcome, Vanin.
 
Guennadiy VANIN
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Your logon is saved in a cookie on the machine that you are running on. If it did not do this, every time that you clicked a link in javaranch and it opened another browser window that required knowing your logon ID, you would have to logon AGAIN. That would be REALLY irritating.


Well, I am using different remote logons, using hotmail, and changing windows inside those portals do not require reentering each time my password...
Since I do not invent my passwords for hundreds of occasions...
I certainly would like to know how may I find/check that coocky in PC. The question worrying me if my password is detectable from it?
[ November 20, 2002: Message edited by: G Vanin ]
 
Cindy Glass
"The Hood"
Posts: 8521
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Because they save your logon status in a cookie . . .
And I certainly HOPE that you log out of Hotmail when you are done.
 
Guennadiy VANIN
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
just wanted to know is the password extractable?
How does it function (I am not cracker)...or... yet...
I do not use exactly hotmail. But after closing browser I need to reenter a password there.
 
Cindy Glass
"The Hood"
Posts: 8521
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Passwords are not stored in cookies. The cookie just remembers what your ID is and thinks that you are STILL logged in from when you DID enter your password.
For instance Amazon.com keeps track of each users preferences and presents a custom screen to the user that best fits their interests. This is done based on the information that Amazon tracks in the cookie on the remote machine. If someone sits down at my PC and gets into Amazon, they are going to get a screen that was customized for ME, because Amazon presumes that is who is sitting there. Then they just offer a little place on the side bar that says "If you are not Cindy Glass please log in here".
However when it comes time to do anything critical like using a credit card - Amazon asks for the password again.
 
Guennadiy VANIN
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Cindy,
I already found Javaranch's cookie (it has the name dbdi_use@saloon.javaranch[2].txt) and it contains in palin text my password and my user name!!!
If it is being done in such a way: users should be warned about it, do not you agree with me? Because saving people's passwords in public PC to publicly accessible shares without any warning is very-very unpleasant fact
Especially if it is aggravated by the keeping and exposing it on the server side, except to a hundred bartenders, to anybody who wants to explore it. With a minimum knowledge of TCP/IP
Let me remind you JR's warning:

View/Update Profile
Your login (user) name cannot be changed. Note that your password is not encrypted and may be accessible by the message board administrators. Do not use a password that you would be afraid to reveal to anyone.
All of the information you provide on this page (with the exception of the password and login name) will be viewable by anyone visiting the message board. Thus, if you do not feel comfortable completing any non required fields, please leave them blank.


This is a serious and EXCESSIVE abuse of confidence (to multiply my passwords all over the world)
Note that I cannot even remedy fast this situation (coming to all occupied PCs in a library, university departments and ask for urgent necessity to delete my passwords?)
[ November 21, 2002: Message edited by: G Vanin ]
 
Cindy Glass
"The Hood"
Posts: 8521
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well for heavens sake, why would you use the same password for an open forum like JavaRanch as you do for really OTHER stuff?
That is really not a good policy.
 
Guennadiy VANIN
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In order to avoid remembering multiple passwords. Of koz, I changed it already here. Good lesson
Why, at all, have passwords in open forums, by your logic, I wonder
[ November 21, 2002: Message edited by: G Vanin ]
 
Cindy Glass
"The Hood"
Posts: 8521
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So that you can not pretend to be me, for instance. Also it allows for private forums like Moderators only. In addition it allows us to keep personal profiles that others can not tamper with.
Well. . . I COULD tamper with yours I suppose . . .
(no Cindy . . don't DO it, just don't do it . . .Cindy slaps her hand)
If you don't have this then things degenerate down until they are like Meaningless Drivel
 
Trailboss
Posts: 23778
IntelliJ IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Having the cookie record the password seems less than cool. I wonder if it always does that or if it only does it when you select something like "remember my password"
 
Ranch Hand
Posts: 2676
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
When I logged out, the cookie that had the password was deleted and replaced with another cookie that had a session id. It did not display the user name or password. If you change your javaranch password on 1 computer that will invalidate the cookies on all other computers.
[ November 22, 2002: Message edited by: Matthew Phillips ]
 
Guennadiy VANIN
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Matthew,
th problem has nothing to do with clearing on logoff.
I am working on public PCs in library, the name and password is common knowledge, the access is also to shared directory. So, anybody can get my cookies remotely.
As I explained I HAVE NOT BEEN WARNED that I should care abt it at all!!!
The library rules is that you order PC for maximum 2 hours/day. If you are sitting 2.5 hours, and someone is coming fresh, you are asked to leave and you have somebody waiting you over the shoulder. Now you close browsers expecting them to clear off your server side connection. In a couple of weeks, you have you passwords in plain texts in a couple of dozens of PCs.
Now what, I should come to all other busy persons over the library, and ask "Wait. I should find and delete my passwords, I left other days"?!
THERE WAS NO WARNING!
99.9% OF PEOPLE FORCE THEM ONCE TO INVENT AND REMEBER ONE GOOD PASSWORD, not hundreds for all occasions
Paul,
I could not find any options of remembering the password. Anyway, why it should be done on both side (in javrach.com and on client side), anyway.
It is your site, you may even sold my data to others, but it is already unwarranted... and everybody knows how it is called
[ November 22, 2002: Message edited by: G Vanin ]
 
Matthew Phillips
Ranch Hand
Posts: 2676
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Do not use a password that you would be afraid to reveal to anyone.


The warning is there. The cookie is used to give you access to post to the appropriate forums. That is the way UBB works. If you want to make sure that your password doesn't get left in a cookie then login, post, and log out. You may browse all of the forums except Moderator's Only without logging in. The purpose of the cookie is to make sure that you don't have to login and log out each time you post.
 
Guennadiy VANIN
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Am I stupid or what?
Where is the warning that my passwords are being saved in palin text on a client side?
What is the sense of password that someone wants to reveal to everybody?
 
Marilyn de Queiroz
Sheriff
Posts: 9109
12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Originally posted by G Vanin:
As I explained I HAVE NOT BEEN WARNED that I should care abt it at all!!!


I think that you are the first one to discover this security flaw.

I could not find any options of remembering the password.

Sometimes Windows will ask you if you want it to remember the password, but in my experience that is not usually the case in libraries.

It is your site, you may even sold my data to others

Nobody who works at Javaranch has sold or will sell your data to anyone.
 
Matthew Phillips
Ranch Hand
Posts: 2676
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by G Vanin:
Am I stupid or what?
Where is the warning that my passwords are being saved in palin text on a client side?
What is the sense of password that someone wants to reveal to everybody?


As Marilyn wrote, you are the first person to find this particular flaw. In any case, you are warned that the password is not encrypted when you sign up.
 
Thomas Paul
mister krabs
Posts: 13974
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's a UBB problem. Obviously they don;t consider the password to be that big a deal so they don't bother encrypting it. I think it is just one more reason to move to Jive.
 
paul wheaton
Trailboss
Posts: 23778
IntelliJ IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As mentioned earlier, this is news to me. And I haven't sold your data to anybody, but thanks for the idea
Thomas has the jive stuff all running, the trick now is to mash the existing content into Jive. If we can do that, we can further examine making the move to jive which would mean that this is a problem that would just go away.
 
Ranch Hand
Posts: 776
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Guennadii - You should be aware that JR is not the only public forum site that works this way, many that I am aware of do.
So if you say 'remember me' your user name and password for those sites are also stored in other cookies.
A question for the site moderators: will Jive use https for secure logins (like sourceforge for example)? Or if another methodology will be used, what is it?
One other point for the mangement - not everyone in the world uses Windows and IE. Some browsers give (e.g. Mozilla) you a easy way to browse through all cookies and their content. If you are in a public place using a Unix or Linux box you definitely need to be aware of that.
Regards, Guy
 
Thomas Paul
mister krabs
Posts: 13974
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Jive does not use https. https isn't a Jive thing it's a web site thing. It would be very easy to convert jive to use https but I see no reason to do so since we are talking about a password to get into a forum not a password to get into your bank account.
 
Guennadiy VANIN
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for response, Marilyn de Queiroz, Cindy, Paul Wheaton, Matthew, Thomas Paul,
it was just a little bit unexpected to me. And you know old habits (habits are the second nature).
PUBLIC or not public. It is a question/agreement of sharing and trust. It is impossible to employ a password without exposing/leaving it somewhere. Usually it is left to somewhere trustfull.
What is more dangerous:
to leave the key near your port or somewhere in
mountains of deserts of Colorado amongst American Indians that do not understand neither Portuguese nor Russian in my Email box (I mean that another one appinted for notification)??
What is more dangerous when your post/Email box with correspondence in Portuguese is broken by your Portuguese neighbor or American Indian from Colorado's mountains overseas?
I even could not imagine that such questions is necessary to explain.
I hope it is the end of the beginning and beginning of the end.
How can I use Javaranch's Email box for notification of responses?
[ November 26, 2002: Message edited by: G Vanin ]
 
Guennadiy VANIN
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator


Originally posted by Cindy Glass:
Well. . . I COULD tamper with yours I suppose . . .
(no Cindy . . don't DO it, just don't do it . . .Cindy slaps her hand)


Cindy,
I authorize your reading my Email boxes correspondence BUT without the right of re-distribution and/or changing anything there. This means also that you may not show them to human translators. If you will have difficulties in entering, I provide you with necessary links, my passwords and my user names.
Please, Stop your hand...It makes me nervous.
 
Ranch Hand
Posts: 7729
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are you guys saying it may not be me writing this?
I gotta go talk to my shrink about this...
 
Ranch Hand
Posts: 399
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Re:

I already found Javaranch's cookie (it has the name dbdi_use@saloon.javaranch[2].txt) and it contains in palin text my password and my user name!!!
If it is being done in such a way: users should be warned about it, do not you agree with me? Because saving people's passwords in public PC to publicly accessible shares without any warning is very-very unpleasant fact


If your cookies are on a publically accessible share, might your other internet cache files be on publically accessible shares as well? I doubt web sites are are better about marking private information "do not cache" than they are about protecting passwords? Perhaps the shared computers have caching disabled. If so, perhaps they ought to consider disabling cookies as well.
On a related matter, using one password for everything is asking for trouble. I'm not a big web user, but I've run into plenty of cases in which passwords are not given reasonable protection. I don't have hundreds of passwords, but I have more than one. (When I forget one, it usually for something for which I can reset or recover the password, or that is not important.)
 
Guennadiy VANIN
Ranch Hand
Posts: 898
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks John for your time,
summarizing and addressing briefly the problem. It seems you have read it all thru.

A lot of time, much more than just setting (correcting) an expiration time in cookies for any from bartenders.

I am, somehow, educated person in IT (above average) and was surprised, but for average (99+%) it must be a surprise. If you are assured about care and you are not
[ December 28, 2002: Message edited by: G Vanin ]
 
reply
    Bookmark Topic Watch Topic
  • New Topic