Who is eating all the cookies?
November 13, 2005 4:08 PM   Subscribe

Where have all my user's cookies gone?

I run an ASP model company, where each customer gets their own web-site. Each site is enhanced with additional features that currently require the browser to 'login' and cookies are used to track the session/login id.

In the past month, I have noticed that more and more users are coming to the site with their cookies turned off. It started with maybe one or two users a week to now about five users per day. Our software was not checking for that, and so they just get a broken user experience. Tonight, I am upgrading to request that they enable cookies in their browser before they continue.

My question is, why this change in normal web browsing behaviour? Our browser/user base is very varried, but for the most part, not technically minded people. It really seems like it has just been in this past month that we have noticed this increase/trend.

Does anyone know if Norton, McAfee, or similar anti software is now disabling cookies by default?

My cookies are named '_login' and 'site-sid'.. do I need to rename them to not get caught in this trap?

I am looking at embedding the session id cookie in to the URLs of the site to circumvent this.. are there other, more modern techniques I can use? I am worried about security risks with this technique (emailing a link to a friend for example)
posted by dhammala to Technology (9 answers total)
 
You're getting hit by robots. A lot of the 'bad' robots don't accept cookies.
posted by bingo at 4:12 PM on November 13, 2005


One intresting way of doing http state is to use wildcard DNS to store a username. So each user gets http://myname.site.com Of course, that would be a security problem without authentication.

As long as it's hard for people to guess a session ID, they should be resonably secure.
posted by delmoi at 4:13 PM on November 13, 2005


For sure it is not bots -- people log into the site by giving us their phone number, name and email, and performing a search on real estate data. All of this information is captured, but since they are not storing cookies, they don't get any further into the site..
posted by dhammala at 4:32 PM on November 13, 2005


I am looking at embedding the session id cookie in to the URLs of the site to circumvent this.
... and ...
One intresting way of doing http state is to use wildcard DNS to store a username
Don't use either of those schemes if your site contains any links to external third-party sites that are not under your administrative control. If such links exist and you implement either of these schemes then it may well be possible for someone with access to the log for any of the external sites to compromise a user's account on the your site by performing a session hijack.
posted by RichardP at 5:00 PM on November 13, 2005



For sure it is not bots -- people log into the site by giving us their phone number, name and email, and performing a search on real estate data.


Er...according to the traditional model, shouldn't the cookies be set at the moment that the user gives that information, so that if they don't allow cookies, they effectively haven't given you the info?
posted by bingo at 5:38 PM on November 13, 2005


Thanks for thinking about it, bingo.. all of the cookies are being set via server-side headers, no client-side javascript or the like. The user gives us their contact info by submitting the form. The server side app then stores the info and sets the cookie in the return page. If the user has cookies, then all of the subsequent pages share the same session data.. if not, the user can't pass go and creates multiple sessions per page load. That's how I know it isn't bots -- I am seeing a lot of valid info and numerous sessions. I am now even logging how many cookies are sent to the server side app on each page request.
posted by dhammala at 8:38 PM on November 13, 2005


Are the cookies set at the site url or at a third-party url? Most browsers now allow you to filter cookies to only accept cookies from the originating url and some browsers may be set that way by default now.
posted by yerfatma at 4:25 AM on November 14, 2005


What's the user agent of the cookie-refusers?

And when you tell people to enable cookies, please tell them what server they need to accept cookies from instead of pretending that one's only choices are to accept all cookies or reject all cookies.
posted by Zed_Lopez at 10:04 AM on November 14, 2005


Cookies are all being set for the originating url only. Last time I looked at the logs, I only noticed IE 6 user agents.. I will grep again and see if there is addtional info.
posted by dhammala at 1:27 PM on November 14, 2005


« Older ways to help fix a sore neck?   |   Cropping errors in DVD authoring. Newer »
This thread is closed to new comments.