[ajug-members] Cookie question

Dean H. Saxe dean at fullfrontalnerdity.com
Thu Jul 6 10:22:39 EDT 2006 

The JS will only have access to cookies in your domain if its  
downloaded from your domain.  Or if it takes advantage of browser  
flaws.  Some systems actually download the JS from other domains  
rather than embedding it in your code.

I highly recommend reading the book HTTP by O'Reilly, it explains all  
of this in excruciating detail.

With respect to encrypting the information, I have to disagree with  
the poster.  If the information is sensitive enough that you don't  
want it transmitted anywhere else, including a third party, don't  
store it client side.  Sensitive data should always be stored server  
side.

-dhs

Dean H. Saxe, CISSP, CEH
dean at fullfrontalnerdity.com
"What is objectionable, what is dangerous about extremists is not  
that they are extreme, but that they are intolerant."
     -- Robert F. Kennedy, 1964

Find out about my Hike for Discovery at www.fullfrontalnerdity.com/hfd

On Jul 6, 2006, at 10:09 AM, Burr Sutter wrote:

> 3rd party tracking systems typically use a
>
> A) small image that is embedded in your web pages OR
>
> B) a piece of JavaScript OR
>
> C) hook into the flash-plugin (via JS you can store pieces of data  
> in Flash that is invisible to the end-user) – works well if the  
> user shuts down cookie support
>
>
>
> With option A the 3rd party will likely provide a cookie with the  
> request/response for the images (typically an invisible .gif) and  
> in that scenario they will only have access to the cookies they  
> provide for their domain.
>
> With option B where the 3rd party hands you a .js file and some  
> script code to copy and paste into all of your pages then that JS  
> could have access to all available cookies, you would have to look  
> at their JS code for details
>
> With option C, I’m not sure as I’ve not personally tried the  
> technique, just heard about it.
>
>
>
> What 3rd parties are you looking to use?  I’ve heard of Eloqua.
>
>
>
>
>
>
>
> From: ajug-members-bounces at ajug.org [mailto:ajug-members- 
> bounces at ajug.org] On Behalf Of James Thomas
> Sent: Thursday, July 06, 2006 9:31 AM
> To: ajug-members at ajug.org
> Subject: [ajug-members] Cookie question
>
>
>
> Hi Team,
>
> We are currently using 1st party cookies to track certain  
> information about our customers, however, we have a third party  
> business partner that creates and tracks other data about our users  
> for us as well. We want to restrict access to our third party to  
> only the cookies they are concerned with and not all of the cookies  
> in the domain. What is the best way to accomplish this? This is a  
> CF5 soon to be Java web app.
>
> Any thoughts?
>
> _______________________________________________
> ajug-members mailing list
> ajug-members at ajug.org
> http://www.ajug.org/mailman/listinfo/ajug-members

More information about the ajug-members mailing list