I am currently studying some of the existing social networking sites for one project that I have been doing. In my laptop, my profile cookie in Friendster is saved since I am the only person using that laptop. That alone would save me from entering my credentials over and over again when I visit that page.
A certain concept in the design of social networking sites is common across sites and that is having a “limited” profile view. That is, you won’t be able to see the whole profile of the person you are viewing unless you are a contact or a friend of that person. Facebook’s implementation is too conservative while LinkedIn’s is customizable. Beyond Multiply (which I am more familiar with), Friendster is one of those popular social networking sites here in the Philippines, and I reviewed it. I barely check on other’s profile that’s why I don’t have a complete picture of how can you view a restricted profile in Friendster. I opened my IE wherein I am not logged-in in Friendster. I was able to see the “restricted” view of my friend’s profile BUT I noticed that the “Login” link was changed to “Log Out”. When I clicked on the “Profile” tab, my page was loaded.
I logged-out from Friendster in IE (even if I didn’t log-in), had a hard refresh (ctrl+f5) around 5 times. Closed the browser and repeated the same steps again and I found out that I was even logged in after all those things. Could this be another case of a faulty security implementation? As far as I know, two different browsers cannot share the same cookie of the same domain. From what I suspect, Friendster could have been storing sessions of users in their database that includes the username/email of the person, IP address, and the time they were last seen online. If a request has been made from another browser (say in my case in IE, where I am not logged-in) when a user tries to view a user but isn’t logged-in, the request would check from the database if an active session is in place from the same IP address and if a record is found, the request would make an authentication cookie in the browser even if he/she hasn’t logged-in in the system. I think this scenario is a security concern – case for example would be in a typical internet cafe set-up where only one public IP is being published, it is possible that even if you’re not logged-in in your account, you would be able to gain some “control” over the other accounts. While other features would prevent you from changing the password but the mere fact that you are able to log-in to an account isn’t yours or didn’t intentionally log-in, once the intruder makes some changes to your profile, it could mean a lot of things especially those that can see the spoiled information.
I am not sure if you can replicate the error, I think it is not just happening to me. Try it and let’s talk it over.