Who needs to link to the current user's profile page without knowing it? Only FB should have to do that and they know the profile page url. Other people should be linking to the profile page directly only if they know it, not based on which user is viewing. They should really have two profile URLs:
To fix this FB could stop doing this redirect entirely as it leaks information about the current user's session, and should not be necessary. I'm sure it'll break someone's links, somewhere, but it was a bad idea to begin with, and related is this old trick which let's you view a very popular profile:
All that should be required is a public profile url which can be shared (if you wish) or not, and a private profile url, and the url of the private profile should be generic and not redirected, so that it doesn't leak info in this way, and because it's not the same as a public profile anyway.
The problem with that is that different people viewing the same URL (/profile.php) gets a different resource. What happens if someone gives a link to his profile.php over IM or something, expecting it to show his own profile? The URL the user is shown in the address bar should represent the current resource being viewed.
A better solution could be to replace links to profile.php with direct links to the real profile URL, and just kill that profile.php redirection.
see a different resource? For a web app like FB I don't think this avoidable. All data served is dependent on who you are when you are logged in.
For another example of how to handle this better, see twitter:
twitter.com - the user's feed, content differs for each user
twitter.com/username - the user's public url, for sharing, a proper URI which everyone can use
twitter.com/settings/profile - the user's private profile, content differs for each user
I agree they shouldn't need that redirection with no id supplied and I suspect it's just a legacy of the original way of showing profiles (profile.php?id=n), they could just redirect it to root instead (shows the same as profile.php it seems) to avoid leaking state.
http://facebook.com/profile.php - private profile, no redirect
http://facebook.com/some.user.name - public profile (profile.php?id=123 could redirect here given an id so as not to break old links)
To fix this FB could stop doing this redirect entirely as it leaks information about the current user's session, and should not be necessary. I'm sure it'll break someone's links, somewhere, but it was a bad idea to begin with, and related is this old trick which let's you view a very popular profile:
http://facebook.com/profile.php?=112398345098345
All that should be required is a public profile url which can be shared (if you wish) or not, and a private profile url, and the url of the private profile should be generic and not redirected, so that it doesn't leak info in this way, and because it's not the same as a public profile anyway.