[ajug-members] Cookie question
Burr Sutter
burr.sutter at jboss.com
Thu Jul 6 10:44:51 EDT 2006
I agree with Dean's point on the encrypting of cookies. Simply put some
long unique string (GUID) that is really keyed to a database record (or
session data) on the server-side. The 3rd party, assuming they could
steal your cookie, would then need access to your servers to figure out
what the real data is.
And Dean is our resident Atlanta JUG security expert!
Burr
-----Original Message-----
From: ajug-members-bounces at ajug.org
[mailto:ajug-members-bounces at ajug.org] On Behalf Of Dean H. Saxe
Sent: Thursday, July 06, 2006 10:23 AM
To: General AJUG membership forum (100-200 messages/month)
Subject: Re: [ajug-members] Cookie question
The JS will only have access to cookies in your domain if its
downloaded from your domain. Or if it takes advantage of browser
flaws. Some systems actually download the JS from other domains
rather than embedding it in your code.
I highly recommend reading the book HTTP by O'Reilly, it explains all
of this in excruciating detail.
With respect to encrypting the information, I have to disagree with
the poster. If the information is sensitive enough that you don't
want it transmitted anywhere else, including a third party, don't
store it client side. Sensitive data should always be stored server
side.
-dhs
Dean H. Saxe, CISSP, CEH
dean at fullfrontalnerdity.com
"What is objectionable, what is dangerous about extremists is not
that they are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
Find out about my Hike for Discovery at www.fullfrontalnerdity.com/hfd
On Jul 6, 2006, at 10:09 AM, Burr Sutter wrote:
> 3rd party tracking systems typically use a
>
> A) small image that is embedded in your web pages OR
>
> B) a piece of JavaScript OR
>
> C) hook into the flash-plugin (via JS you can store pieces of data
> in Flash that is invisible to the end-user) - works well if the
> user shuts down cookie support
>
>
>
> With option A the 3rd party will likely provide a cookie with the
> request/response for the images (typically an invisible .gif) and
> in that scenario they will only have access to the cookies they
> provide for their domain.
>
> With option B where the 3rd party hands you a .js file and some
> script code to copy and paste into all of your pages then that JS
> could have access to all available cookies, you would have to look
> at their JS code for details
>
> With option C, I'm not sure as I've not personally tried the
> technique, just heard about it.
>
>
>
> What 3rd parties are you looking to use? I've heard of Eloqua.
>
>
>
>
>
>
>
> From: ajug-members-bounces at ajug.org [mailto:ajug-members-
> bounces at ajug.org] On Behalf Of James Thomas
> Sent: Thursday, July 06, 2006 9:31 AM
> To: ajug-members at ajug.org
> Subject: [ajug-members] Cookie question
>
>
>
> Hi Team,
>
> We are currently using 1st party cookies to track certain
> information about our customers, however, we have a third party
> business partner that creates and tracks other data about our users
> for us as well. We want to restrict access to our third party to
> only the cookies they are concerned with and not all of the cookies
> in the domain. What is the best way to accomplish this? This is a
> CF5 soon to be Java web app.
>
> Any thoughts?
>
> _______________________________________________
> ajug-members mailing list
> ajug-members at ajug.org
> http://www.ajug.org/mailman/listinfo/ajug-members
_______________________________________________
ajug-members mailing list
ajug-members at ajug.org
http://www.ajug.org/mailman/listinfo/ajug-members
More information about the ajug-members
mailing list