“Visit site”
I just noticed that LiveJournal has a lousy cookie based authentication system.
Not really a threat unless you like accessing stuff on a public terminal (or friends houses). The lesson here is that when you access your account from other pcs, don’t forget to log-out.
“Visit site”
“Visit site”
“Visit blog”
Jem logged on using this pc a couple of days ago. I went to some LJ entries of my friends just now – I and noticed that I was still logged on her account. Even when she had clearly posted from her house since the time she had been here.
This flaw is clearly a lack of foresight on the developers’ part. You can easily add some security checks to store and compare the last cookie assigned to the cookie being used in the current session – If it’s different, then simply generate the page as a logged out user and require him/her to re-enter their credentials if they wish to log-in. There is also the cookie expiration method. Usually both implementations (and some others) are used simultaneously for good measure. The LJ team apparently didn’t notice this when they were creating the damn system.
If you use your account in one pc exclusively, then this is nothing to worry about. But if you’re like a blogger from hell who likes checking everyminute wherever you are, then make damn sure that you logout afterwards. Besides, this is the internet, data is much easier to crack than a physical lock, so it doesn’t hurt to play it safe.
Anyways, just a friendly warning to all the LJ users – knowing is half the battle. As for me, I’m perfectly content with MovableType running on my own server. Can’t wait till they release version 3.1