What your users should know about Flash Cookies

Bill Detwiler: IT Pros and most savvy users know all about the role of Web site cookies that are placed on your PC and how to delete them. However, Flash cookies are different and their role is probably much less understood, even by the pros.

In today's episode of TR Dojo, I'll give you a brief rundown of what Flash cookies are, how they work, and how you can control them on your computer.

Flash cookies are a much-discussed topic in the TechRepublic forums, and many members think they are more insidious than regular HTTP cookies. So first, let's look at how these cookies are different.

Regular HTTP cookies are basically a way to track your activity online. They are common and these days mostly harmless. I say "harmless" here, because there's plenty of information out there to help users delete them and customize the browser settings that control their behavior. On the other hand, Flash cookies seem to be less well understood, even by many in the IT community.

Flash cookies, or Local Shared Objects, generally serve the same tracking function as HTTP cookies, but with some significant differences. First, they can hold a lot more data, up to 100 Kilobytes, where a standard HTTP cookie is only 4 Kilobytes. They have no default expiration date. They are stored in different locations on your machine so even if you go hunting for files with the .SOL extension, which Flash cookies use, you may have a hard time find them all. And last, the security settings on your computer have no effect on them.

All of this obscurity makes a lot of security- and privacy-conscious people nervous.

This same obscurity, of course, is also what has made Flash cookies so popular with Web developers. For savvy users who caught on to HTTP cookies and learned how to find and delete them very easily, the Flash cookie became the answer.

In a nutshell, Web sites can use Flash applets embedded on their sites to write information into a preference file stored on the computer that visits the site -- that's the Flash cookie.

In fact, sites can also use Flash cookies to re-create an HTTP cookie that a user previously deleted.

So, how can you see which sites have placed Flash cookies on your machine, and how do you control this behavior?

Annoyingly, both of these questions are answered using the Adobe Flash Player Settings Manager, which you must access through a Flash element on Adobe's Flash Player support Web site. I'll post the specific address in the blog notes.

From this page, you can manage the settings of the Flash Player install on your machine. For example, from the Global Privacy Settings panel, you can prevent Web sites from accessing, or even asking permission to access, your camera and microphone.

If you want to see which Web sites have placed Flash cookies on your machine, check out the Website Storage Settings panel. Here you can see the name of the Web site, the amount of disk space each site uses to store information on your machine, the maximum amount of disk space a Web site can use before asking for more space, and the privacy setting you have specified for each site. From this panel you can also delete the Flash cookies stored by specific sites or all sites.

Now, if you want to prevent Flash cookies from being stored at all, switch to the Global Storage Settings panel and remove the check next to  Allow third-party Flash content to store data on your computer. 

And if you're really concerned about Flash cookies, you may also want to try a Firefox add-on called BetterPrivacy, which promises to remove all flash cookies each time the Web browser is closed.

Just remember that whether you disable Flash cookies through the Settings Manager or delete them with a browser add-on, once you do so, sites that use Flash cookies may not function as you expect. Sure, you should still be able to watch Flash videos, but all those high scores in your favorite Flash-based game may be gone.

For more information on Flash cookies and some interesting findings by a group of researchers at UC Berkeley, check out these articles from Michael Kassner and William Jones. I'll link to them in the blog.

And as always, for more teachings on your path to becoming an IT Ninja, visit trdojo.techrepublic.com, or you can follow me on Twitter at twitter.com/billdetwiler.

Thanks for visiting the TR Dojo.