evercookie

Produces persistent, respawning "super" cookies in a browser, abusing over a dozen techniques. Its goal is to identify users after they've removed standard cookies and other privacy data such as Flash cookies (LSOs), HTML5 storage, SilverLight storage, and others.

samyk

4113

675

JavaScript

Evercookie

Evercookie is a Javascript API that produces extremely persistent cookies in a
browser. Its goal is to identify a client even after they’ve removed standard
cookies, Flash cookies (Local Shared Objects or LSOs), and others.

This is accomplished by storing the cookie data on as many browser storage
mechanisms as possible. If cookie data is removed from any of the storage
mechanisms, evercookie aggressively re-creates it in each mechanism as long as
one is still intact.

If the Flash LSO, Silverlight or Java mechanism is available, Evercookie can even propagate cookies
between different browsers on the same client machine!

By Samy Kamkar, with awesome contributions from others

Browser Storage Mechanisms

Client browsers must support as many of the following storage mechanisms as
possible in order for Evercookie to be effective.

Standard HTTP Cookies
Flash Local Shared Objects
Silverlight Isolated Storage
CSS History Knocking
Storing cookies in HTTP ETags (Backend server required)
Storing cookies in Web cache (Backend server required)
HTTP Strict Transport Security (HSTS) Pinning (works in Incognito mode)
window.name caching
Internet Explorer userData storage
HTML5 Session Storage
HTML5 Local Storage
HTML5 Global Storage
HTML5 Database Storage via SQLite
HTML5 Canvas - Cookie values stored in RGB data of auto-generated, force-cached PNG images (Backend server required)
HTML5 IndexedDB
Java JNLP PersistenceService
Java exploit CVE-2013-0422 - Attempts to escape the applet sandbox and write cookie data directly to the user’s hard drive.

To be implemented someday (perhaps by you?):

TLS Session Resumption Identifiers/Tickets (works in Incognito mode)
Generating HTTP Public Key Pinning (HPKP) certificates per user
Caching in HTTP Authentication
Google Gears
Using Java to produce a unique key based off of NIC info
Other methods? Please comment!

The Java persistence mechanisms are developed and maintained by Gabriel Bauman
over here.

Backend Server

Some of the storage mechanisms require a backend server. This package comes with PHP implementation of the etag, cache and png backend servers.

For Node.js version, please visit node-evercookie.
For Django version, please visit Django Evercookie

Caveats

Be warned! Evercookie can potentially cause problems for you or your users.

Some storage mechanisms involve loading Silverlight or Flash in the client
browser. On some machines this can be a very slow process with lots of disk
thrashing. On older mobile devices this can render your site unusable.
CSS History Knocking can cause a large number of HTTP requests when a cookie
is first being set.
In some circles, it is considered rude to use Evercookie. Consider your
reputation and your audience when using Evercookie in production.
Browser vendors are doing their best to plug many of the holes exploited by
Evercookie. This is a good thing for the Internet, but it means what works
today may not work so well tomorrow.

You are responsible for your own decision to use Evercookie. Choose wisely.

Got an idea?

Open a pull request!