View Full Version : Cookie values. Is this me, or it is a bit... weird?

04-24-2008, 06:59 PM
Err. Bit of an odd one.

So I'm doing some work on my site - adding in a xmlhttp request to pull in my rss feed and display it.

I'm working away, Firebug in the bottom of my screen, and I see the request fire off as the page loads. And I see the following sent as a cookie in the request headers:

sageamp=sageampNQNUQ363%7CsageampPWSPD536%7C; uts9.zid=93; __utmz=12146471.1207310707.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); p.med.r9Origin=LGW; CFID=8584114; smuid=22042008-0-87194123233303691208876454; __utma=12146471.974637617.1207310707.1207310707.1207310707.1; uts9.aid=963; CFTOKEN=21690652http%3A%2F%2Feconomist%2Eco%2Euk%2Fdisplaystory%2Ecfm%3Fstory%5Fid%3D9249262; CFMAGIC=8584114%3A21690652http%3A%2F%2Feconomist%2Eco%2Euk%2Fdisplaystory%2Ecfm%3Fstory%5Fid%3D92492 62; camp=sageampNQNUQ363%60%60Tue%2C%2022%20Apr%202008%2015%3A00%3A52%20GMT%7CsageampPWSPD536%60%60Tue%2 C%2022%20Apr%202008%2015%3A00%3A52%20GMT%7C; ASPSESSIONIDASDRSTCQ=BHBCNNGDNBGFMMNHKNIKKEKM; ASPSESSIONIDCQDRTSDR=NIDPBKDACCADHBJIAIOGMHBG

What the.... ? Why have I got "CFTOKEN" and "CFMAGIC" values being sent? And what on earth are they pointing at The Economist for?

This is a site on MY server. It's pullung an xml file on my server. It's a pure IIS windows box, it's not running Coldfusion. Where have those values come from, and why are they getting sent?


Hmmm. This gets more and more suspicious. Googling "sageamp"... targetted advertising, partnerships with ISP's... it seems I'm being spied on....

04-25-2008, 10:56 AM
Does it happen on every site you go to, or just your own?

05-29-2008, 03:42 PM
I have been investigating this exact issue, and I think it might be either a bug in Firefox, either existing or fixed, where the cookies are left over.

I have several lines in my cookies.txt file (FF2) with the domain set to ".co.uk", which means those cookies are being sent to ALL .co.uk sites. I have read about an old bug where browsers would allow cookies to be set to this domain, but I am pretty sure that none of the cookies involved are that old.

For example I have these lines:

.co.uk TRUE / FALSE 2075208390 p2.med.r9Origin BWI
.co.uk TRUE / FALSE 2034845104 pk.med.r9Origin LON

I searched a few sites for flights from LON<>BWI recently, certainly no earlier than March time. I can't pinpoint which site it could have been (several let you search on LON as all London airports), but I use kayak mainly. Searching on "r9Origin" brings a couple of results with people reporting the same issue, and it's how I found this forum.

Also I have the line:

.co.uk TRUE / FALSE 1239854397 UndercoverUK LastVisit=4&#37;2F16%2F2008 [etc]

UndercoverUK is an ecommerce site that I may well have visited around that time - I was looking for wallets I think, interestingly it's a .com though.

I also have the sageamp/camp cookies set to .co.uk too.

I am busy right now but I'll do some digging later and see if I can reproduce it. edit: I should add, our ISP is Zen, and nothing to do with Phorm.

03-28-2009, 03:52 PM
There was a long outstanding bug with Firefox, where a web site could set a cookie with .co.uk. as the domain:


I think it was fixed in FF2 though.

Kayak is the site that sets the p2.med.r9Origin cookie when you click the search button. However, in a quick test it seems like they're setting it with the correct domain now:

Set-Cookie: cluster=2; Domain=.kayak.co.uk; Path=/
Set-Cookie: p2.med.r9Origin=LON; Domain=.kayak.co.uk; Expires=Fri, 26-Jun-2009 13:08:09 GMT; Path=/
Set-Cookie: p2.med.sc=1; Domain=.kayak.co.uk; Expires=Fri, 26-Jun-2009 13:08:09 GMT; Path=/

However, I just saw a request from a Firefox 3.0.2 client to a site I administer who has various cookies not set by my domain:


I think most of the other cookies are from Sagemetrics, a metrics/tracking company. But again, I couldn't reproduce their site setting cookies on .co.uk.


03-29-2009, 09:52 AM
FYI this thread is over a year old.