Adobe Analytics Security Concerns with 1st Party Cookies/Cname and possible solutions? | Community
Skip to main content
M
MichaelJo13
Level 4
October 16, 2015
Solved

Adobe Analytics Security Concerns with 1st Party Cookies/Cname and possible solutions?

  • October 16, 2015
  • 1 reply
  • 1262 views

I work for a bank and security is a major concern. We are currently using a cname on Adobe's collection servers (e.g. stats.bank.com) in order to have Adobe serve first party cookies on the bank.com domain. Our security council now says we shouldn't provide Adobe with a new SSL cert for stats.bank.com because it is too risky and if stats.bank.com is compromised and someone attacks our customers then we our liable due to it being our brand and all the cookie data is exposed as well as leaving customers open to malware attacks. So we have the following options:

  1. Bring reporting in-house
  2. Set up a filtering proxy operating as “stats.bank.com” that front-ends the relevant Adobe service
  3. Go back to Adobe's 3rd Party solution 2o7.net namespace
  4. Use a different 3rd party namespace on adobe's servers (e.g. stats.bk.com)

Here are our thoughts:

1) Too expensive

2) We thought it was a good solution but then the cost came up. It seems like it would be very costly to build that type of infrastructure due to the volume of calls.

3) Adobe's 3rd party namespace blocked too much.

4) Seems to maybe be a solution but still concerned about 3rd party being blocked.

I was wondering if anyone has had to deal with these type of security concerns and what the solution was. Also what are the drawbacks of solution #4 in particular?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Gigazelle

Hi Michael,

You can use our visitorID service in your implementation. This allows 1st party cookies to be set without a need for an SSL cert from you guys, however the root domain must be the same as the web site in question. For example, if I own the domains examplebankone.com and examplebanktwo.com, the visitorID cookie must be set on their respective domains, not any consolidated cookie domain like stats.examplebank.com. If visitors were tracked in a single report suite from both examplebankone and examplebanktwo, they would count as two separate visitors since the visitorID cookies in question were separate.

If you do not have a global report suite, or everything is on the same root domain, visitorID service is most definitely one of the more viable options for you.

1 reply

Gigazelle
Adobe Employee
GigazelleAdobe EmployeeAccepted solution
Adobe Employee
October 16, 2015

Hi Michael,

You can use our visitorID service in your implementation. This allows 1st party cookies to be set without a need for an SSL cert from you guys, however the root domain must be the same as the web site in question. For example, if I own the domains examplebankone.com and examplebanktwo.com, the visitorID cookie must be set on their respective domains, not any consolidated cookie domain like stats.examplebank.com. If visitors were tracked in a single report suite from both examplebankone and examplebanktwo, they would count as two separate visitors since the visitorID cookies in question were separate.

If you do not have a global report suite, or everything is on the same root domain, visitorID service is most definitely one of the more viable options for you.

Terms & ConditionsAccessibility statement

Loading footer...