Security of a cookie

Discussion in 'ASP General' started by c676228, Sep 13, 2009.

  1. c676228

    c676228 Guest

    Hi all,

    I have a question.

    I use a cookie to track where our sales come from so we can credit our sales
    agents. We assign a specific link to each of our agents like this and the
    number 123456 represent a specific agent and then we pass the following link
    to our agents.

    www.mydomain.com/sales.asp?pcn=123456
    I will write the value 123456 to a cookie called mycookie.
    What I am worry about is this cookie's security.
    If a programmer from one of our agents office knows how we credit our agent,
    is it possible that their programmer immitate our program and even write his
    agent code on their customers' computers when those customers visit any pages
    on their site(domain) and look for some products similar to ours.
    Say when a customer visit www.theirdomain.com/products.asp and just
    browsing, not purchasing, but they wrote the exactly same cookie and value,
    our domain name to this customer's computer like this. This cookie set never
    expire.

    Response.Cookies("mycookie").Domain = ".mydomain.com"
    Response.Cookies("mycookie").Value="123456"

    Let's say two weeks later, this customer visit our site ourdomain.com.
    and try to purchase one of our products. This cookie value will be picked up
    since it was written on his/her computer two weeks ago. So the sales credit
    goes to this agent. Is it possible?
    Thanks,
     
    c676228, Sep 13, 2009
    #1
    1. Advertisements

  2. Hello Betty,

    You are right. Cookie is not secure. It stores in the client so that user
    can access it at anytime. Then cookie value will be as the QueryString in
    the url to say: www.mydomain.com/sales.asp?pcn=123456. pcn is always
    visible to the users.

    Is mycookie only worked for the registered user? I think this functionality
    is needed only if the registered user logged in. If so, my suggestion is
    this value can be as user profile stored into the sql server instead of
    cookie. It will be operated on server-side, and it isn't able to be touched
    directly on client side. So it will be more secure than using cookie.

    For the registered user, to keep the profile data for a long time, we can
    store the value into the sql server for security requirement.
    For the unregistered user, to keep the profile data for a long time, we can
    use cookie. But you had better implement an algorithm to encrypt cookies
    value.
    (In Asp.Net, we can buid HttpSecureCookie class to achieve it. In Classic
    Asp, as one of simple approach to encrypt cookie, you can check this
    http://successontheweb.blogspot.com/2008/06/string-randomization-and-encrypt
    ion-in.html)


    Sincerely,

    Vince Xu

    Microsoft Online Support


    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    MSDN Managed Newsgroup support offering is for non-urgent issues where an
    initial response from the community or a Microsoft Support Engineer within
    2 business day is acceptable. Please note that each follow up response may
    take approximately 2 business days as the support professional working with
    you may need further investigation to reach the most efficient resolution.
    The offering is not appropriate for situations that require urgent,
    real-time or phone-based interactions. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    ==================================================
     
    Vince Xu [MSFT], Sep 14, 2009
    #2
    1. Advertisements

  3. c676228

    Dooza Guest

    The domain name in the cookie protects other websites from picking up
    another websites cookies, so I don't think you have much to worry about.

    Steve
     
    Dooza, Sep 15, 2009
    #3
  4. c676228

    c676228 Guest

    Vince and Steve,
    Thank you both for the input.
    I will think about server side implementation.
     
    c676228, Sep 28, 2009
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.