Security of a cookie

C

c676228

Hi all,

I have a question.

I use a cookie to track where our sales come from so we can credit our sales
agents. We assign a specific link to each of our agents like this and the
number 123456 represent a specific agent and then we pass the following link
to our agents.

www.mydomain.com/sales.asp?pcn=123456
I will write the value 123456 to a cookie called mycookie.
What I am worry about is this cookie's security.
If a programmer from one of our agents office knows how we credit our agent,
is it possible that their programmer immitate our program and even write his
agent code on their customers' computers when those customers visit any pages
on their site(domain) and look for some products similar to ours.
Say when a customer visit www.theirdomain.com/products.asp and just
browsing, not purchasing, but they wrote the exactly same cookie and value,
our domain name to this customer's computer like this. This cookie set never
expire.

Response.Cookies("mycookie").Domain = ".mydomain.com"
Response.Cookies("mycookie").Value="123456"

Let's say two weeks later, this customer visit our site ourdomain.com.
and try to purchase one of our products. This cookie value will be picked up
since it was written on his/her computer two weeks ago. So the sales credit
goes to this agent. Is it possible?
Thanks,
 
V

Vince Xu [MSFT]

Hello Betty,

You are right. Cookie is not secure. It stores in the client so that user
can access it at anytime. Then cookie value will be as the QueryString in
the url to say: www.mydomain.com/sales.asp?pcn=123456. pcn is always
visible to the users.

Is mycookie only worked for the registered user? I think this functionality
is needed only if the registered user logged in. If so, my suggestion is
this value can be as user profile stored into the sql server instead of
cookie. It will be operated on server-side, and it isn't able to be touched
directly on client side. So it will be more secure than using cookie.

For the registered user, to keep the profile data for a long time, we can
store the value into the sql server for security requirement.
For the unregistered user, to keep the profile data for a long time, we can
use cookie. But you had better implement an algorithm to encrypt cookies
value.
(In Asp.Net, we can buid HttpSecureCookie class to achieve it. In Classic
Asp, as one of simple approach to encrypt cookie, you can check this
http://successontheweb.blogspot.com/2008/06/string-randomization-and-encrypt
ion-in.html)


Sincerely,

Vince Xu

Microsoft Online Support


==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

MSDN Managed Newsgroup support offering is for non-urgent issues where an
initial response from the community or a Microsoft Support Engineer within
2 business day is acceptable. Please note that each follow up response may
take approximately 2 business days as the support professional working with
you may need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations that require urgent,
real-time or phone-based interactions. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
 
D

Dooza

c676228 said:
Hi all,

I have a question.

I use a cookie to track where our sales come from so we can credit our sales
agents. We assign a specific link to each of our agents like this and the
number 123456 represent a specific agent and then we pass the following link
to our agents.

www.mydomain.com/sales.asp?pcn=123456
I will write the value 123456 to a cookie called mycookie.
What I am worry about is this cookie's security.
If a programmer from one of our agents office knows how we credit our agent,
is it possible that their programmer immitate our program and even write his
agent code on their customers' computers when those customers visit any pages
on their site(domain) and look for some products similar to ours.
Say when a customer visit www.theirdomain.com/products.asp and just
browsing, not purchasing, but they wrote the exactly same cookie and value,
our domain name to this customer's computer like this. This cookie set never
expire.

Response.Cookies("mycookie").Domain = ".mydomain.com"
Response.Cookies("mycookie").Value="123456"

Let's say two weeks later, this customer visit our site ourdomain.com.
and try to purchase one of our products. This cookie value will be picked up
since it was written on his/her computer two weeks ago. So the sales credit
goes to this agent. Is it possible?
Thanks,
Click to expand...

The domain name in the cookie protects other websites from picking up
another websites cookies, so I don't think you have much to worry about.

Steve
 
C

c676228

Vince and Steve,
Thank you both for the input.
I will think about server side implementation.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Checking for existence of a cookie 2
Trying to fix bad login/security set up. 2
We are a professional business enterprise specializes in supplying avarieties of fashion products 0
Membership - Database Security 3
Job Post: Java Software Engineer - Audatex - Ann Arbor, MI 0
It's a Bird, It's a plane, no! umm, it's a Distributed Agent? 0
Best way to provide security when need a WindowsIdentity 8
Elise Mooney reports on Channel 9 about Maths Worldwide and the fraudthat it is 1

Members online

No members online now.
Total: 37 (members: 1, guests: 36)
Robots: 420

Forum statistics

Threads
473,994
Messages
2,570,223
Members
46,813
Latest member
lawrwtwinkle111

Latest Threads

Top