A scenario based question on cookies.

A scenario based question on cookies.

Post by limdis on Fri Apr 11, 2014 9:24 pm
([msg=80229]see A scenario based question on cookies.[/msg])

I have question about cookies to anyone of the security minded with the knowledge of web development

My question is as follows:
I know that cookies can be read to determine advertisements specific for the user however, once the those and the cache are cleared that should revert to seeing the 'default' ads. Lets use facebook as an example here. Now, what if you wanted to record those cookies for that reason to avoid having to worry about the user clearing them. How would that look backend? Second part, what if a user session is open in another location but is not active (idle). How would you ensure that the user see those same ads if they were to log into another computer from somewhere else?
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1414
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: A scenario based question on cookies.

Post by Goatboy on Fri Apr 11, 2014 9:47 pm
([msg=80230]see Re: A scenario based question on cookies.[/msg])

Typically if you have already logged in, they don't use cookies for ad purposes. Since you already have a session, they know what you view and what you click on, so they can just query that from their end.

As for being in another location, same deal. You have logged in so they know it is you (or someone pretending to be you) and they can deliver the ads the same way.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2823
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: A scenario based question on cookies.

Post by tremor77 on Mon Apr 28, 2014 9:23 am
([msg=80460]see Re: A scenario based question on cookies.[/msg])

A lot of sites are storing cookies and session information server side now both for security purposes to protect you (session stealing) and for the purpose of managing to track you even if you are blocking or fiddling with your cookies anyway. See things like apache's mod_session_dbd. You'll find a lot of cases where cookies are encrypted now as well, and messing with any cookies on a site (say with firebug or cookie editor) will basically flush your session and hose the site, or they will simply reload it in an ajax call and serve you a new session, still knowing who you are from your headers.

From the ads perspective, for the content deliverer, say facebook.. honestly it's all about ad impressions anyway. So the idle case in one location vs logged in somewhere else.. Lets say your phone vs your desktop.. they have no incentive to show you the same add on both in fact, their mobile revenue stream and ad blocks are entirely different from their desktop blocks anyway. You're more likely to be targeted based on header information, platform, OS, geolocation, and previously saved user history.

The cookie is basically just a minor tool in their arsenal, to say "oh hey it's this guy again", and I think it's being used less and less as a long-term marker. It's great for cross site marketing by like google ads, so they can check in on you from site to site that displays google ads.. but in a lot of cases cookies are no more than brief session auths these days. Clear your cookies while logged into a site, your session will end and you'll be logged out...
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 897
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)



Return to Web Design

Who is online

Users browsing this forum: No registered users and 0 guests