I briefly mentioned Flash cookies in a previous post in the context of ClickToFlash, but the topic warrants its own posting.
Flash cookies (aka “Flash Local Shared Objects”, aka “Flash Web Site Storage”) are like normal browser cookies — smallish chucks of data the client stores on behalf of the server for various purposes.
Flash cookies go beyond browser cookies in a few important ways:
Flash cookies can store more data than browser cookies. Up to 100K without user intervention.
Flash cookies span browsers. If you jump between Safari, Camino, Firefox and Chromium, normal browser cookies won’t follow you, but they all use the same Flash plugin with the same storage backend.
Sites can use Flash cookies to resurrect browser cookies. I attended a DEFCON talk a couple of years back that illustrated the use of Flash cookies to back-up user-deletable browser cookies. Of course, it’s easy to delete Flash cookies as well, but it’s a lot less obvious to go to a specific web page than look in your browser’s preferences window.
Flash cookies never expire by default. A lot of sites manually clear these out for you, but you’re relying on the kindness of strangers there.
For all the above reasons, Flash cookies have become one of the factors behind my recommendation to disable automatic loading of invisible flash views in ClickToFlash.
