How to clear out cookies, flash cookies and local storage

How to clear out cookies, flash cookies and local storage

Chester Wisniewski-Senior Security Advisor at Sophos, outlines  a quick fix to show you how to clear out cookies and the cookie-like things that can be used to track you online.

Why cookies are important

Cookies are very small pieces of information given to your web browser by the sites you visit. Your browser will store the cookies until they expire and will include them in any messages it sends to the website they originally came from. Cookies are a normal and extremely important part of the way the web operates because they enable a sort of short-term memory.

The HTTP protocol – the language used by web browsers to talk to websites – is stateless and no information is retained between any two HTTP events. Simplistically, a basic website will behave as if it’s the first time you’ve ever been there every single time you ask it for a web page. However, if the website gives you a unique cookie the first time you ask for a page, you’ll give it back every time you ask for another page. If all your page requests contain the same unique cookie the website can see that they’re all coming from the same source. Being able to link individual, stateless actions together like this is a fundamental building block of the web. Without this, short-term memory websites would just be brochures – there would be no Facebook, Twitter, Pinterest, LinkedIn, Amazon, eBay, Wikipedia, PayPal, WordPress, Gmail…

Of course, if anyone wants to track you, being able to identify two or more actions as coming from the same source is also the fundamental thing.

Third party cookies

A website can only read the cookies that it has created – it cannot read cookies created by other sites. In order to track an individual from one website to another, the different sites all have to share some code from a third party website. The code that creates and reads the tracking cookie is hosted by the third party and it can keep reading its own cookies as you hop from site to site. That’s how advertisers and tracking companies work, it’s how the same adverts can appear to follow you around the web and it’s how, for example, Twitter knows what websites you’ve visited.

‘Super’ cookies

Although cookies are the most well known way to track somebody, there are other technologies that can be used for the same ends. The most recent version of HTML, version 5, has a feature variously called web storage, DOM storage or local storage that allows websites to create small but significant databases on users’ machines. Adobe’s Flash player has a similar feature that allows Flash content embedded in web pages to create and read locally shared objects (LSOs). LSOs are sometimes referred to as Flash cookies or super cookies. Because LSOs are stored by your Flash player and not your browser they can be used to track all the web activity originating from one computer, not just from one browser.

ETags

When a web server sends you a web page, an image or any other kind of file, it sometimes sends a text string called an entity tag (ETag) with it. The ETag is a short ID that uniquely identifies a specific version of a specific file. If your browser asks for the same file again it will send the ETag with the request. If you already have the latest version, the web server doesn’t need to send it to you all over again which saves bandwidth and speeds things up. Unfortunately, it didn’t escape the notice of tracking companies like KISSmetrics that ETags are something that websites give to users that they give back again in later requests. By embedding the same file, such as a transparent image, in every web page and ensuring each new visitor is given a different ETag they could be turned in to de facto cookies – or used as a sneaky way to recreate cookies that users have deleted.

Fingerprinting

Recent research suggests that many browsers have a profile so distinct that they can be individually fingerprinted. The fingerprint is made up from information that can be gathered passively from web browsers such as their version, user agent, screen resolution, language, installed plugins and installed fonts. I don’t know of any cases where fingerprinting has been used in the wild, but if it were it would be difficult to detect and it’s certainly accurate enough to be used as a cookie re-spawning technique, if not for tracking proper. I’m sure it’s a technique we’ll be hearing more about.

Clearing cookies, web storage and ETags

Thankfully modern browser vendors assume that you want to clear web storage when you delete your cookies so the procedure is the same for both. Because ETags are used to manage which files are cached, they’re discarded when you delete your cache. Before you ditch your cache, bear in mind that the cost of aggressively discarding your cache is, potentially, slower browsing. Here’s how to clear out the cookies, web storage and ETags that you already have and how to find the settings that allow you take a bit more control over what you’ll accept from now on.

Firefox

  • Click Firefox and then Preferences (Mac), or Tools and then Options (Windows)
  • Select the Privacy tab
  • Click clear your recent history
  • Tick Cookies
  • Tick Cache to clear your cache
  • Click Clear now

While you’re looking at the Privacy tab, a range of options for controlling cookies are available under History. You can configure these by choosing Use custom settings for history under Firefox will.

Chrome

  • Click the Menu button
  • Click Settings
  • Click Show advanced settings
  • Scroll to Privacy
  • Click Clear browsing data…
  • Tick Cookies and other site and plug-in data
  • Tick Cached images and files to ditch your cache
  • Click Clear browsing data

Under the Privacy heading you’ll also find a range of options for controlling cookies if you click Content settings….

Safari

  • Click Safari and then Preferences
  • Select the Privacy tab
  • Click Remove all website data
  • Click Remove Now

While you’re looking at the Privacy tab you’ll see a few options for controlling cookies too.

Clearing the cache is a far from obvious process.

  • Click Preferences
  • Select the Advanced tab
  • Tick Show Develop menu in menu bar
  • Click Develop (it’ll have just appeared in the menu bar at the top)
  • Click Empty caches

Internet Explorer

  • Click the gear/cog icon in the top right
  • Click Internet options
  • Select the General tab
  • Under Browsing history click Delete…
  • Tick Cookies and website data
  • Tick Temporary Internet files and website files for the cache
  • Click Delete

Options for controlling cookies can be found under Browsing history and under the Privacy tab.

Clearing Flash cookies

Here’s how to clear out the LSOs that you already have and how to find the settings that allow you take a bit more control over them.

Windows

  • Click Start (if you’re lucky enough to have one)
  • Search for Control Panel
  • Click System and Security
  • Click Flash Player
  • Select the Storage tab
  • Click Delete All…
  • Tick Delete All Site Data and Settings
  • Click Delete Data

Mac

  • Click System Preferences in the Apple menu
  • Click Flash Player
  • Select the Storage tab
  • Click Delete All…
  • Tick Delete All Site Data and Settings
  • Click Delete Data

Private browsing and add-ons

All modern browsers come with a Private or Incognito mode that makes it much more difficult for websites to track you. Typically they’ll ditch your cache and cookies when your browser session is over, meaning that while you might be tracked during a session, you won’t be tracked across multiple sessions. Private browsing works for Flash LSOs too. According to Adobe, Flash Player version 10.1 and later will clear out Flash cookies at the end of your browsing session if you use private browsing in the following browsers: Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, Apple Safari.

There are also a range of add-ons for each major browser that can help you manage some or all of the tracking techniques I’ve mentioned. Going through all of them is well beyond the scope of this article but Ghostery is a good place to start. I’ll leave it for readers to chime in with their favourites in the comments.

Browse our latest issue

Intelligent CIO Middle East

View Magazine Archive