

What's wrong with Flash Cookies? - jgrahamc
http://blog.jgc.org/2010/06/whats-wrong-with-flash-cookies.html

======
DeusExMachina
As a side note:

"This means that if, for example, you use the private mode to browse
pornography..."

I like that private browsing is recognized for it's primary purpose without
the usual hypocrisy (like: "private browsing is useful when you browse for
presents for your family and don't want to spoil the surprise"). We all know
why private browsing is there.

What I also find quite funny is that Apple was the first one to introduce
private browsing. The same Apple that now wants to "free people from porn"
(quote from a Steve Jobs email).

~~~
michaelfairley
I've actually found it immensely useful for being able to log into a different
Gmail account without signing out of my primary.

~~~
xenophanes
That's what other browsers are for ;p

------
sounddust
The Firefox "Better Privacy" extension can delete these when you close the
browser, or better yet on a timer, every few minutes. This allows you to use
Flash sites that rely on them without most of the privacy issues.

(Note: don't play any long-term Flash games with Flash cookies disabled).

~~~
m0tive
I also use this. Here is the link: <https://addons.mozilla.org/en-
US/firefox/addon/6623/>

------
MichaelGG
I found the Adobe page to manage these settings[1] to be somewhat funny.

The notice underneath the Flash content says:

 _Note: The Settings Manager that you see above is not an image; it is the
actual Settings Manager. Click the tabs to see different panels, and click the
options in the panels to change your Adobe Flash Player settings_

What's that say for the UI usability?

1:
[http://www.macromedia.com/support/documentation/en/flashplay...](http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html)

~~~
code_duck
What I find odd about that page is how it reloads when you switch to different
tabs.

I thought... it was Flash? And it could just change to the new tab without the
whole HTML wrapper page reloading?

~~~
Qz
It might be so that any settings changes are in effect when you switch to the
next panel, which can't happen without reloading the .swf.

~~~
code_duck
I'm sure they have a good reason, too.

------
imurray
I don't use any flash applications that I want to store anything. In the past
(in linux) I did:

    
    
      rm -Rf ~/.macromedia && touch ~/.macromedia
    

which stopped flash creating the ~/.macromedia directory and being able to
store anything on disk. This caused problems with the odd rare site that
insisted on storing things, and the BBC iplayer would become unresponsive. Now
I call my browser from a shell script which deletes ~/.macromedia whenever I
close it.

~~~
Tichy
My experience with trying to disable cookies was that the (Flash) web became
unusable. All sites with Flash content would just keep nagging and nagging.

~~~
dhimes
somewhere on this site I posted my aliases for dealing with this problem (
<http://news.ycombinator.com/item?id=1401118> )

------
civild
Flash Cookies are also quite often used for "stuffing" by unscrupulous
affiliates for all of the reasons mentioned in the article.

------
wanderr
If you disable 3rd party flash cookies, that should eliminate all unwanted
tracking.

Meanwhile, flash cookies are useful for other things: Pandora uses them to
keep you logged in forever, even if your session on the server dies (unless
you log out), on our site we use it to store copious amounts of user data
(such as music libraries) so that it doesn't need to be loaded from the server
every time you visit.

Flash cookies are also a win over regular cookies because they aren't sent
along to the server with every single http request.

------
raganwald
Interesting question: Can HTML5 localStorage be used to circumvent cookie
controls in lieu of using Flash cookies?

~~~
mbrubeck
It would be pretty intrusive/noticeable, since the user has to opt in to allow
the site to use it. So it's probably only a risk on sites that also make
legitimate use of Web Storage.

localStorage is subject to same-origin restrictions (so advertisers can't
easily use it to track you across sites). And localStorage is handled like
cookies when you use the private browsing mode in browsers like Firefox and
Chrome, e.g.:

 _"When the browser goes into private browsing mode, a new, temporary database
is created to store local storage data; this database is empied, and is thrown
away when private browsing mode is turned off."_

<https://developer.mozilla.org/en/dom/storage#localStorage>

(This is true of Flash 10.1 also, but wasn't true for older versions.)

------
troymc
I use Flush by machacks to delete my Flash cookies. I think it's for Mac OS X
only. [http://machacks.tv/2009/01/27/flushapp-flash-cookie-
removal-...](http://machacks.tv/2009/01/27/flushapp-flash-cookie-removal-tool-
for-os-x/)

------
stevejalim
If you've got 5 mins (make a cup of tea) there's a quick talk and live demo
about this here, from Oxford Geek Night 17
(<http://oxford.geeknights.net/2010/feb-17th/>):
<http://ogn.s3.amazonaws.com/16-DavidSheldon.mp4>

------
gyardley
I suspect the use of Flash cookies will decline gradually as the use of HTML 5
increases, since a great many of them are just used to store volume settings
for commonly-used Flash-based video players.

That's not to say the use of Flash cookies by certain ad networks isn't
completely obnoxious.

------
dhimes
This has been around for a very long time (2005 or so). They were originally
called Persistent Identification Elements.

Have a browse:
[http://duckduckgo.com?q=persistent+identification+elements&#...</a>

------
skymt
It seems like all these problems could be solved by tighter integration with
browsers: add hooks for browser privacy features to NPAPI and support them in
Flash. Adobe seems to already be heading that way with the new private-
browsing support.

------
radley
This particular issue seems to pop up every year or so and there is vast
online info available on the topic already. But Flash-bashing seems to be de
rigueur these days...

Yes, Adobe is aware of some of the issues mentioned (we Flash pros cringe at
the old Macromedia settings windows _still_ in use) but some of his bugs are
in fact features (such as being browser agnostic) that behave differently
because it's simply different tech (like Mac vs Win).

In all fairness, Adobe has their hands very busy these days with AIR, the new
Flash player, and porting Flash to multiple platforms. If the old stuff works,
they're not messing with it.

~~~
earl
That's because adobe are assholes. Don't think that avoiding/subverting user
intent with respect to cookie management is anything but an intentional
feature and selling point.

~~~
radley
Wow. He actually scores more karma for saying Adobe are assholes.

HN hits a new low.

------
code_duck
Sure, that's why I have a cron job to delete /home/<user>/.macromedia/* every
night.

------
ZeroGravitas
I think point 2 is no longer true if you're running Flash 10.1 and Firefox,
Chrome or IE.

------
senki
I don't understand point 4. Why restore the redundant HTTP cookie?

~~~
jgrahamc
So that you can track the user for as long as possible. Very useful if you are
running an ad network.

~~~
senki
But it's unnecessary since you already set the Flash cookie.

~~~
henry_flower
In case user deletes that flash cookie, but forgets to clean the http one!

~~~
gojomo
And also the convenience of having the user/session info in HTTP headers where
all sorts of other code/frameworks expect it -- instead of only where Flash
in-page objects can see it.

------
arohner
Does the FF extension click-to-flash mitigate this?

------
borism
how to disable flash cookies

<http://www.google.com/search?q=disable+flash+cookies>

