Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Security of a cookie

Reply
Thread Tools

Security of a cookie

 
 
c676228
Guest
Posts: n/a
 
      09-13-2009
Hi all,

I have a question.

I use a cookie to track where our sales come from so we can credit our sales
agents. We assign a specific link to each of our agents like this and the
number 123456 represent a specific agent and then we pass the following link
to our agents.

www.mydomain.com/sales.asp?pcn=123456
I will write the value 123456 to a cookie called mycookie.
What I am worry about is this cookie's security.
If a programmer from one of our agents office knows how we credit our agent,
is it possible that their programmer immitate our program and even write his
agent code on their customers' computers when those customers visit any pages
on their site(domain) and look for some products similar to ours.
Say when a customer visit www.theirdomain.com/products.asp and just
browsing, not purchasing, but they wrote the exactly same cookie and value,
our domain name to this customer's computer like this. This cookie set never
expire.

Response.Cookies("mycookie").Domain = ".mydomain.com"
Response.Cookies("mycookie").Value="123456"

Let's say two weeks later, this customer visit our site ourdomain.com.
and try to purchase one of our products. This cookie value will be picked up
since it was written on his/her computer two weeks ago. So the sales credit
goes to this agent. Is it possible?
Thanks,
--
Betty
 
Reply With Quote
 
 
 
 
Vince Xu [MSFT]
Guest
Posts: n/a
 
      09-14-2009
Hello Betty,

You are right. Cookie is not secure. It stores in the client so that user
can access it at anytime. Then cookie value will be as the QueryString in
the url to say: www.mydomain.com/sales.asp?pcn=123456. pcn is always
visible to the users.

Is mycookie only worked for the registered user? I think this functionality
is needed only if the registered user logged in. If so, my suggestion is
this value can be as user profile stored into the sql server instead of
cookie. It will be operated on server-side, and it isn't able to be touched
directly on client side. So it will be more secure than using cookie.

For the registered user, to keep the profile data for a long time, we can
store the value into the sql server for security requirement.
For the unregistered user, to keep the profile data for a long time, we can
use cookie. But you had better implement an algorithm to encrypt cookies
value.
(In Asp.Net, we can buid HttpSecureCookie class to achieve it. In Classic
Asp, as one of simple approach to encrypt cookie, you can check this
http://successontheweb.blogspot.com/...on-and-encrypt
ion-in.html)


Sincerely,

Vince Xu

Microsoft Online Support


==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

MSDN Managed Newsgroup support offering is for non-urgent issues where an
initial response from the community or a Microsoft Support Engineer within
2 business day is acceptable. Please note that each follow up response may
take approximately 2 business days as the support professional working with
you may need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations that require urgent,
real-time or phone-based interactions. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subs.../aa948874.aspx
==================================================

 
Reply With Quote
 
 
 
 
Dooza
Guest
Posts: n/a
 
      09-15-2009
c676228 wrote:
> Hi all,
>
> I have a question.
>
> I use a cookie to track where our sales come from so we can credit our sales
> agents. We assign a specific link to each of our agents like this and the
> number 123456 represent a specific agent and then we pass the following link
> to our agents.
>
> www.mydomain.com/sales.asp?pcn=123456
> I will write the value 123456 to a cookie called mycookie.
> What I am worry about is this cookie's security.
> If a programmer from one of our agents office knows how we credit our agent,
> is it possible that their programmer immitate our program and even write his
> agent code on their customers' computers when those customers visit any pages
> on their site(domain) and look for some products similar to ours.
> Say when a customer visit www.theirdomain.com/products.asp and just
> browsing, not purchasing, but they wrote the exactly same cookie and value,
> our domain name to this customer's computer like this. This cookie set never
> expire.
>
> Response.Cookies("mycookie").Domain = ".mydomain.com"
> Response.Cookies("mycookie").Value="123456"
>
> Let's say two weeks later, this customer visit our site ourdomain.com.
> and try to purchase one of our products. This cookie value will be picked up
> since it was written on his/her computer two weeks ago. So the sales credit
> goes to this agent. Is it possible?
> Thanks,


The domain name in the cookie protects other websites from picking up
another websites cookies, so I don't think you have much to worry about.

Steve
 
Reply With Quote
 
c676228
Guest
Posts: n/a
 
      09-28-2009
Vince and Steve,
Thank you both for the input.
I will think about server side implementation.

--
Betty


"Vince Xu [MSFT]" wrote:

> Hello Betty,
>
> You are right. Cookie is not secure. It stores in the client so that user
> can access it at anytime. Then cookie value will be as the QueryString in
> the url to say: www.mydomain.com/sales.asp?pcn=123456. pcn is always
> visible to the users.
>
> Is mycookie only worked for the registered user? I think this functionality
> is needed only if the registered user logged in. If so, my suggestion is
> this value can be as user profile stored into the sql server instead of
> cookie. It will be operated on server-side, and it isn't able to be touched
> directly on client side. So it will be more secure than using cookie.
>
> For the registered user, to keep the profile data for a long time, we can
> store the value into the sql server for security requirement.
> For the unregistered user, to keep the profile data for a long time, we can
> use cookie. But you had better implement an algorithm to encrypt cookies
> value.
> (In Asp.Net, we can buid HttpSecureCookie class to achieve it. In Classic
> Asp, as one of simple approach to encrypt cookie, you can check this
> http://successontheweb.blogspot.com/...on-and-encrypt
> ion-in.html)
>
>
> Sincerely,
>
> Vince Xu
>
> Microsoft Online Support
>
>
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/en-us/subs...#notifications.
>
> MSDN Managed Newsgroup support offering is for non-urgent issues where an
> initial response from the community or a Microsoft Support Engineer within
> 2 business day is acceptable. Please note that each follow up response may
> take approximately 2 business days as the support professional working with
> you may need further investigation to reach the most efficient resolution.
> The offering is not appropriate for situations that require urgent,
> real-time or phone-based interactions. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/en-us/subs.../aa948874.aspx
> ==================================================
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What is different between Request.Cookie and Response.Cookie ad ASP .Net 2 01-27-2006 12:54 PM
Cookie Question (IP as domain and cookie file location) =?Utf-8?B?UGF1bA==?= ASP .Net 1 01-10-2006 08:37 PM
Any downsides to cookie assignment inside custom class using HttpContext.Current? ASP.NET 2.0 cookie fix? ASP .Net 2 08-17-2005 06:43 AM
Cookie and Session Cookie Questions. Shapper ASP .Net 1 04-27-2005 11:20 AM
Session cookie? Browser instance cookie? Ben ASP .Net 3 06-03-2004 03:41 AM



Advertisments