Flash Cookies

Posted on . Updated on .

Yesterday I found out something quite interesting while reading a thread at LinuxQuestions.org. Summary: the flash browser plugin lets flash applications store information persistently on your hard drive. Sorry if this is common knowledge, but I didn’t know it and I’m quite shocked. That information can (may or may not) be used as browser cookies, as the thread shows. These days many people take their cookies seriously, maybe disabling them or deleting them from time to time or adjusting the browser cookie settings so it considers every cookie a session cookie that should be deleted when the browser is closed. Now, you need to be aware of a new battle front. Under Linux (and probably other Unix systems), these pieces of information are stored under $HOME/.macromedia/. Run find ~/.macromedia -print to get an overview.

I remember one of the reasons people started to care about cookies in the first place was that sites like doubleclick (recently bought by Google) would serve ads for thousands of websites on the net, and those ads would store a cookie in your hard drive identifying you, so they could in theory track what you visited on the net and build a profile. Today the problem would still exist because sometimes ads are served in flash format.

You can, however, configure the flash plugin so it doesn’t let anybody store anything in your hard drive. It must be noted that to do so you must visit macromedia.com and adjust the plugin settings from a flash application that is available on their site. Moreover, if you completely disable data storage, you are warned that some sites may stop working. Amazing. So this problem is hard to avoid. My personal recommendation is to use a browser plugin like the typical FlashBlock for Firefox or the "Load plugins on demand" setting under Konqueror, so every flash application is blocked unless you specify otherwise. And, you may want to delete the $HOME/.macromedia/ directory from time to time, or at least part of its contents (settings are also stored in that directory). It’s also worth mentioning that the settings and data are cross-browser, obviously. They are stored by the flash plugins no matter what browser you’re running the plugin from.

It’s a shame so many websites require flash for basic browsing, as well as the lack of a flash plugin for many platforms. The plugin could also have an option to delete any hard drive data when closing it, similar to the option to treat all cookies as session cookies that many browsers feature.

Load comments