lagman/evercookie

Evercookie is a Javascript API that produces extremely persistent cookies in a browser

Evercookie

Evercookie is a Javascript API that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others., _(*1)

This is accomplished by storing the cookie data as many browser storage mechanisms as possible. If cookie data is removed from any of the storage mechanisms, evercookie aggressively re-creates it in each mechanism as long as one is still intact., _(*2)

If the LSO mechanism is available, Evercookie may even propagate cookies between different browsers on the same client machine!, _(*3)

By Samy Kamkar, with awesome contributions from others, _(*4)

Browser Storage Mechanisms

Client browsers must support as many of the following storage mechanisms as possible in order for Evercookie to be effective., _(*5)

• Standard HTTP Cookies
• Flash Local Shared Objects
• Silverlight Isolated Storage
• CSS History Knocking
• Storing cookies in HTTP ETags (Backend server required)
• Storing cookies in Web cache (Backend server required)
• window.name caching
• Internet Explorer userData storage
• HTML5 Session Storage
• HTML5 Local Storage
• HTML5 Global Storage
• HTML5 Database Storage via SQLite
• HTML5 Canvas - Cookie values stored in RGB data of auto-generated, force-cached PNG images (Backend server required)
• HTML5 IndexedDB
• Java JNLP PersistenceService
• Java exploit CVE-2013-0422 - Attempts to escape the applet sandbox and write cookie data directly to the user's hard drive.

To be implemented someday (perhaps by you?):, _(*6)

• HTTP Strict Transport Security Pinning
• Google Gears
• Using Java to produce a unique key based off of NIC info
• Caching in HTTP Authentication
• Other methods? Please comment!

The Java persistence mechanisms are developed and maintained by Gabriel Bauman over here., _(*7)

Backend Server

Some of the storage mechanisms require a backend server. This package comes with PHP implementation of the etag, cache and png backend servers. - For Node.js version, please visit node-evercookie. - For Django version, please visit Django Evercookie, _(*8)

Caveats

Be warned! Evercookie can potentially cause problems for you or your users., _(*9)

• Some storage mechanisms involve loading Silverlight or Flash in the client browser. On some machines this can be a very slow process with lots of disk thrashing. On older mobile devices this can render your site unusable., _(*10)

• CSS History Knocking can cause a large number of HTTP requests when a cookie is first being set., _(*11)

• In some circles, it is considered rude to use Evercookie. Consider your reputation and your audience when using Evercookie in production., _(*12)

• Browser vendors are doing their best to plug many of the holes exploited by Evercookie. This is a good thing for the Internet, but it means what works today may not work so well tomorrow., _(*13)

You are responsible for your own decision to use Evercookie. Choose wisely., _(*14)

Got an idea?

Open a pull request!, _(*15)