closing browser leaves user logged on

I am using access thru public PC, in library, and observe that in all (a dozen of PCs) when I open a browser and connect to Javaranch.com I already am logged on and have Hello "G Vanin".
I do not have always time to explicitly log out because when my time is out I do not know eactly how much more time I may still use PC.
When I am asked to leave and I am already overused my time I cannot log out from all my sessions and just close browsers. I always thought that it is server-side business to treat all the rest.
It is certain inconvenience. You think everybody OK but really your logons are exposed to everybody.

Your logon is saved in a cookie on the machine that you are running on. If it did not do this, every time that you clicked a link in javaranch and it opened another browser window that required knowing your logon ID, you would have to logon AGAIN. That would be REALLY irritating.
You just need to Log off.

Now we could talk about time management if you like
(Cindy ducks behing the door . . )

Hi, Cindy,
what is the way to ensure that coockies are removed and nobody will use my logon?
except deleting all coockies...of course

If you logout, The cookie will be set to "logged out" and nobody will be able to log in as you unless they know your password.

I don't think that it would be fair to set the browser to not accept cookies on a machine that is used by lots of people. That would really interfere with the functionality of lot's of other stuff that other users might need.
You need to logout.

thanks everybody, Marilyn and Cindy,
You are my angels
[ October 26, 2002: Message edited by: G Vanin ]

Marylin,
if it is cookies that maintain me logged on, then this does mean that I should log out from all of (a few dozens) PCs I used in library. Is it correct?
Just to be sure

Yes, that is correct. Anyone who uses those PCs to go to JavaRanch will automatically be logged on as you.

Thanks Paul

Your welcome, Vanin.

Your logon is saved in a cookie on the machine that you are running on. If it did not do this, every time that you clicked a link in javaranch and it opened another browser window that required knowing your logon ID, you would have to logon AGAIN. That would be REALLY irritating.

Well, I am using different remote logons, using hotmail, and changing windows inside those portals do not require reentering each time my password...
Since I do not invent my passwords for hundreds of occasions...
I certainly would like to know how may I find/check that coocky in PC. The question worrying me if my password is detectable from it?
[ November 20, 2002: Message edited by: G Vanin ]

Because they save your logon status in a cookie . . .
And I certainly HOPE that you log out of Hotmail when you are done.

just wanted to know is the password extractable?
How does it function (I am not cracker)...or... yet...
I do not use exactly hotmail. But after closing browser I need to reenter a password there.

Passwords are not stored in cookies. The cookie just remembers what your ID is and thinks that you are STILL logged in from when you DID enter your password.
For instance Amazon.com keeps track of each users preferences and presents a custom screen to the user that best fits their interests. This is done based on the information that Amazon tracks in the cookie on the remote machine. If someone sits down at my PC and gets into Amazon, they are going to get a screen that was customized for ME, because Amazon presumes that is who is sitting there. Then they just offer a little place on the side bar that says "If you are not Cindy Glass please log in here".
However when it comes time to do anything critical like using a credit card - Amazon asks for the password again.

Cindy,
I already found Javaranch's cookie (it has the name [email protected][2].txt) and it contains in palin text my password and my user name!!!
If it is being done in such a way: users should be warned about it, do not you agree with me? Because saving people's passwords in public PC to publicly accessible shares without any warning is very-very unpleasant fact
Especially if it is aggravated by the keeping and exposing it on the server side, except to a hundred bartenders, to anybody who wants to explore it. With a minimum knowledge of TCP/IP
Let me remind you JR's warning:

View/Update Profile
Your login (user) name cannot be changed. Note that your password is not encrypted and may be accessible by the message board administrators. Do not use a password that you would be afraid to reveal to anyone.
All of the information you provide on this page (with the exception of the password and login name) will be viewable by anyone visiting the message board. Thus, if you do not feel comfortable completing any non required fields, please leave them blank.

This is a serious and EXCESSIVE abuse of confidence (to multiply my passwords all over the world)
Note that I cannot even remedy fast this situation (coming to all occupied PCs in a library, university departments and ask for urgent necessity to delete my passwords?)
[ November 21, 2002: Message edited by: G Vanin ]

Well for heavens sake, why would you use the same password for an open forum like JavaRanch as you do for really OTHER stuff?
That is really not a good policy.

In order to avoid remembering multiple passwords. Of koz, I changed it already here. Good lesson
Why, at all, have passwords in open forums, by your logic, I wonder
[ November 21, 2002: Message edited by: G Vanin ]

So that you can not pretend to be me, for instance. Also it allows for private forums like Moderators only. In addition it allows us to keep personal profiles that others can not tamper with.
Well. . . I COULD tamper with yours I suppose . . .
(no Cindy . . don't DO it, just don't do it . . .Cindy slaps her hand)
If you don't have this then things degenerate down until they are like Meaningless Drivel

Having the cookie record the password seems less than cool. I wonder if it always does that or if it only does it when you select something like "remember my password"

When I logged out, the cookie that had the password was deleted and replaced with another cookie that had a session id. It did not display the user name or password. If you change your javaranch password on 1 computer that will invalidate the cookies on all other computers.
[ November 22, 2002: Message edited by: Matthew Phillips ]

Matthew,
th problem has nothing to do with clearing on logoff.
I am working on public PCs in library, the name and password is common knowledge, the access is also to shared directory. So, anybody can get my cookies remotely.
As I explained I HAVE NOT BEEN WARNED that I should care abt it at all!!!
The library rules is that you order PC for maximum 2 hours/day. If you are sitting 2.5 hours, and someone is coming fresh, you are asked to leave and you have somebody waiting you over the shoulder. Now you close browsers expecting them to clear off your server side connection. In a couple of weeks, you have you passwords in plain texts in a couple of dozens of PCs.
Now what, I should come to all other busy persons over the library, and ask "Wait. I should find and delete my passwords, I left other days"?!
THERE WAS NO WARNING!
99.9% OF PEOPLE FORCE THEM ONCE TO INVENT AND REMEBER ONE GOOD PASSWORD, not hundreds for all occasions
Paul,
I could not find any options of remembering the password. Anyway, why it should be done on both side (in javrach.com and on client side), anyway.
It is your site, you may even sold my data to others, but it is already unwarranted... and everybody knows how it is called
[ November 22, 2002: Message edited by: G Vanin ]

Do not use a password that you would be afraid to reveal to anyone.

The warning is there. The cookie is used to give you access to post to the appropriate forums. That is the way UBB works. If you want to make sure that your password doesn't get left in a cookie then login, post, and log out. You may browse all of the forums except Moderator's Only without logging in. The purpose of the cookie is to make sure that you don't have to login and log out each time you post.

Am I stupid or what?
Where is the warning that my passwords are being saved in palin text on a client side?
What is the sense of password that someone wants to reveal to everybody?

Originally posted by G Vanin:
As I explained I HAVE NOT BEEN WARNED that I should care abt it at all!!!

I think that you are the first one to discover this security flaw.

I could not find any options of remembering the password.

Sometimes Windows will ask you if you want it to remember the password, but in my experience that is not usually the case in libraries.

It is your site, you may even sold my data to others

Nobody who works at Javaranch has sold or will sell your data to anyone.

Originally posted by G Vanin:
Am I stupid or what?
Where is the warning that my passwords are being saved in palin text on a client side?
What is the sense of password that someone wants to reveal to everybody?

As Marilyn wrote, you are the first person to find this particular flaw. In any case, you are warned that the password is not encrypted when you sign up.

It's a UBB problem. Obviously they don;t consider the password to be that big a deal so they don't bother encrypting it. I think it is just one more reason to move to Jive.

As mentioned earlier, this is news to me. And I haven't sold your data to anybody, but thanks for the idea
Thomas has the jive stuff all running, the trick now is to mash the existing content into Jive. If we can do that, we can further examine making the move to jive which would mean that this is a problem that would just go away.

Guennadii - You should be aware that JR is not the only public forum site that works this way, many that I am aware of do.
So if you say 'remember me' your user name and password for those sites are also stored in other cookies.
A question for the site moderators: will Jive use https for secure logins (like sourceforge for example)? Or if another methodology will be used, what is it?
One other point for the mangement - not everyone in the world uses Windows and IE. Some browsers give (e.g. Mozilla) you a easy way to browse through all cookies and their content. If you are in a public place using a Unix or Linux box you definitely need to be aware of that.
Regards, Guy

Jive does not use https. https isn't a Jive thing it's a web site thing. It would be very easy to convert jive to use https but I see no reason to do so since we are talking about a password to get into a forum not a password to get into your bank account.

Thanks for response, Marilyn de Queiroz, Cindy, Paul Wheaton, Matthew, Thomas Paul,
it was just a little bit unexpected to me. And you know old habits (habits are the second nature).
PUBLIC or not public. It is a question/agreement of sharing and trust. It is impossible to employ a password without exposing/leaving it somewhere. Usually it is left to somewhere trustfull.
What is more dangerous:
to leave the key near your port or somewhere in
mountains of deserts of Colorado amongst American Indians that do not understand neither Portuguese nor Russian in my Email box (I mean that another one appinted for notification)??
What is more dangerous when your post/Email box with correspondence in Portuguese is broken by your Portuguese neighbor or American Indian from Colorado's mountains overseas?
I even could not imagine that such questions is necessary to explain.
I hope it is the end of the beginning and beginning of the end.
How can I use Javaranch's Email box for notification of responses?
[ November 26, 2002: Message edited by: G Vanin ]

Originally posted by Cindy Glass:
Well. . . I COULD tamper with yours I suppose . . .
(no Cindy . . don't DO it, just don't do it . . .Cindy slaps her hand)

Cindy,
I authorize your reading my Email boxes correspondence BUT without the right of re-distribution and/or changing anything there. This means also that you may not show them to human translators. If you will have difficulties in entering, I provide you with necessary links, my passwords and my user names.
Please, Stop your hand...It makes me nervous.

Are you guys saying it may not be me writing this?
I gotta go talk to my shrink about this...

Re:

I already found Javaranch's cookie (it has the name [email protected][2].txt) and it contains in palin text my password and my user name!!!
If it is being done in such a way: users should be warned about it, do not you agree with me? Because saving people's passwords in public PC to publicly accessible shares without any warning is very-very unpleasant fact

If your cookies are on a publically accessible share, might your other internet cache files be on publically accessible shares as well? I doubt web sites are are better about marking private information "do not cache" than they are about protecting passwords? Perhaps the shared computers have caching disabled. If so, perhaps they ought to consider disabling cookies as well.
On a related matter, using one password for everything is asking for trouble. I'm not a big web user, but I've run into plenty of cases in which passwords are not given reasonable protection. I don't have hundreds of passwords, but I have more than one. (When I forget one, it usually for something for which I can reset or recover the password, or that is not important.)

Thanks John for your time,
summarizing and addressing briefly the problem. It seems you have read it all thru.

A lot of time, much more than just setting (correcting) an expiration time in cookies for any from bartenders.

I am, somehow, educated person in IT (above average) and was surprised, but for average (99+%) it must be a surprise. If you are assured about care and you are not
[ December 28, 2002: Message edited by: G Vanin ]