Can You Really Trust A Cookie?

Is there a market in reverse engineering cookies in order to present a false identity to a website? Ecommerce sites routinely provide various discounts, and potentially even variable pricing, to individuals based on behavioral analysis. For example, if a site sees you visited six times, browsed, but did not purchase, perhaps they’ll pop up a “$10 off today” coupon.

Got me thinking – could you write a piece of software which for a given site, presents a large number of manufactured cookies, in rapid succession, to try and find which will trigger advantageous pricing? 
Are there other scenarios where manufactured cookies would be helpful? 10 Free Articles Before Hitting Paywall – today you clear your cookies in order to restart, but what about constantly re-presenting that site with a cookie suggesting you’ve only read one article? 
Today cookies are generally trusted for machine-to-machine communication. Should they?

Update via Mark Ayzenshtat:
This kind of technique would not get very far. Sites that stored, e.g., numArticlesRead=1 inside the cookie could easily ensure that it wasn’t tampered with by adding a message authentication code (HMAC) to the cookie state. Or (more work for the site) they could avoid storing anything in the cookie beyond a randomly generated user ID and track the interesting parts (like how many articles you’ve viewed) entirely on the server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s