Marketo Cookie Access | Community
Skip to main content
Adam_Hodgden1
Adam_Hodgden1
Level 2
February 22, 2016
Solved

Marketo Cookie Access

  • February 22, 2016
  • 2 replies
  • 2915 views

Has anyone ever experienced this concern with their IT department when creating a CNAME?

Allowing Marketo to host info.company.com would allow Marketo access to cookies defined at *.company.com – this includes customer and employee data. Is it possible to add a level of indirection to prevent the cookie access and add transparency? E.g. Use info.mkto.company.com – this would signal to our more security-conscious customers that these are subdomains controlled by a third party, and also limit Marketo’s access to cookies to only those in the *.mkto.company.com subdomain.

Thanks

Adam

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by SanfordWhiteman

Allowing Marketo to host info.company.com would allow Marketo access to cookies defined at *.company.com – this includes customer and employee data.

  1. If they're storing PII in cookies, that's a security risk right there, with or without Marketo!  I'd suggest that's what needs to be fixed first, by encrypting the data (if it must be kept on the client) or keeping only a session key on the client.
  2. Unless your PII cookies are marked "http only" (so they cannot be read from JavaScript under any circumstances) the fact that Marketo is hosting info.company.com is irrelevant.  As Greg mentioned, running JavaScript on any of your pages, whether that JS is from Google, Marketo, Optimizely, or in-house code, gives the script access to all cookies not marked "http only."  In other words, if you are running GA on www.company.com such cookies are already compromised.

Is it possible to add a level of indirection to prevent the cookie access and add transparency? E.g. Use info.mkto.company.com – this would signal to our more security-conscious customers that these are subdomains controlled by a third party, and also limit Marketo’s access to cookies to only those in the *.mkto.company.com subdomain.

Sure, if you don't care about automatically tracking people's click path after they click a link to go from mkto.company.com to www.company.com, you can lock Munchkin to only track on .mkto.company.com. 

But:

  1. Most Marketo users would find that to be a severe impediment to getting the expected ROI from the platform.
  2. That move alone will not stop cookies you set at the upper-level .company.com (not .www.company.com) from being sent to Marketo.  Your developers would also have to ensure that www.company.com always sets cookies at the .www.company.com level.  Then and only then will the domains be separate.

It is possible to keep the domains separate but still track across domains, using code that varies from the simple to the dizzyingly complex depending on your environment.  It's something we love to do, but we always establish that there is an unambiguous, compelling need for the setup first (typically that unambiguous need is when someone must have both company.<one TLD> and company.<another TLD> in production).

2 replies

Grégoire_Miche2
Grégoire_Miche2
Level 10
February 22, 2016

Hi Adam,

IMHO, the security concern may come from the fact that you are putting JS code on you pages as well, in the first place

AFAIK, The CNAME does not tell at what domain level the cookie should be placed. it just tell how the landing pages URL will be set.

If order to change the level at which Marketo cookie will be set, you may want to change the domainlevel parameter. See Effect and usage of the domainlevel munchkin Initialization Parameter

-Greg

SanfordWhiteman
SanfordWhitemanAccepted solution
Level 10
February 22, 2016

Allowing Marketo to host info.company.com would allow Marketo access to cookies defined at *.company.com – this includes customer and employee data.

  1. If they're storing PII in cookies, that's a security risk right there, with or without Marketo!  I'd suggest that's what needs to be fixed first, by encrypting the data (if it must be kept on the client) or keeping only a session key on the client.
  2. Unless your PII cookies are marked "http only" (so they cannot be read from JavaScript under any circumstances) the fact that Marketo is hosting info.company.com is irrelevant.  As Greg mentioned, running JavaScript on any of your pages, whether that JS is from Google, Marketo, Optimizely, or in-house code, gives the script access to all cookies not marked "http only."  In other words, if you are running GA on www.company.com such cookies are already compromised.

Is it possible to add a level of indirection to prevent the cookie access and add transparency? E.g. Use info.mkto.company.com – this would signal to our more security-conscious customers that these are subdomains controlled by a third party, and also limit Marketo’s access to cookies to only those in the *.mkto.company.com subdomain.

Sure, if you don't care about automatically tracking people's click path after they click a link to go from mkto.company.com to www.company.com, you can lock Munchkin to only track on .mkto.company.com. 

But:

  1. Most Marketo users would find that to be a severe impediment to getting the expected ROI from the platform.
  2. That move alone will not stop cookies you set at the upper-level .company.com (not .www.company.com) from being sent to Marketo.  Your developers would also have to ensure that www.company.com always sets cookies at the .www.company.com level.  Then and only then will the domains be separate.

It is possible to keep the domains separate but still track across domains, using code that varies from the simple to the dizzyingly complex depending on your environment.  It's something we love to do, but we always establish that there is an unambiguous, compelling need for the setup first (typically that unambiguous need is when someone must have both company.<one TLD> and company.<another TLD> in production).

    Adam_Hodgden1
    Adam_Hodgden1Author
    Level 2
    February 23, 2016

    Thank you Sanford, that's what I needed to know.

    SanfordWhiteman
    SanfordWhiteman
    Level 10
    February 23, 2016

    Cool, if you could mark as Correct Answer that would help later searches.

    Terms & ConditionsAccessibility statement

    Loading footer...