Can You Really Trust A Cookie?

Posted on by

Is there a market in reverse engineering cookies in order to present a false identity to a website? Ecommerce sites routinely provide various discounts, and potentially even variable pricing, to individuals based on behavioral analysis. For example, if a site sees you visited six times, browsed, but did not purchase, perhaps they’ll pop up a “$10 off today” coupon.

Got me thinking – could you write a piece of software which for a given site, presents a large number of manufactured cookies, in rapid succession, to try and find which will trigger advantageous pricing? 
Are there other scenarios where manufactured cookies would be helpful? 10 Free Articles Before Hitting Paywall – today you clear your cookies in order to restart, but what about constantly re-presenting that site with a cookie suggesting you’ve only read one article? 
Today cookies are generally trusted for machine-to-machine communication. Should they?

Update via Mark Ayzenshtat:
This kind of technique would not get very far. Sites that stored, e.g., numArticlesRead=1 inside the cookie could easily ensure that it wasn’t tampered with by adding a message authentication code (HMAC) to the cookie state. Or (more work for the site) they could avoid storing anything in the cookie beyond a randomly generated user ID and track the interesting parts (like how many articles you’ve viewed) entirely on the server.