Tools
Evercookie Tracking Demo
Understand how "zombie cookies" persist across deletion attempts by exploiting multiple browser storage mechanisms.
Educational Demonstration Only
This page demonstrates evercookie concepts for educational purposes. We do NOT actually track you. The demo stores a random ID to show how persistence works, and you can clear it completely at any time.
What is an Evercookie?
An evercookie (also called a "zombie cookie" or "supercookie") is a JavaScript API that creates extremely persistent cookies by storing the same tracking ID across many different browser storage mechanisms simultaneously.
When a user deletes their cookies, the evercookie recreates itself from any remaining storage location. To truly remove an evercookie, you must clear ALL storage mechanisms at once - something most users don't know how to do.
The original evercookie was created by Samy Kamkar, security researcher and evercookie creator, in 2010 to demonstrate how difficult it is to maintain privacy online.
Interactive Demo
Your Demo Tracking ID
Generating...
Try clearing just cookies, then click "Check All Storage" to see how the ID persists
Storage Mechanisms
Evercookies exploit 17+ different storage mechanisms. Below shows which ones are available in your browser and their current status:
How Each Mechanism Works
Standard HTTP Cookies Common
The traditional method - small text files stored by the browser. Easy to clear via browser settings.
document.cookie = "tracking_id=abc123; expires=Fri, 31 Dec 9999 23:59:59 GMT";HTML5 Local Storage Common
Stores up to 5-10MB per domain. Persists until explicitly cleared. Often overlooked when clearing "cookies".
localStorage.setItem('tracking_id', 'abc123');
// Survives browser restart, never expiresHTML5 Session Storage Common
Similar to localStorage but cleared when the tab closes. Can be used to pass data to respawn other cookies during a session.
sessionStorage.setItem('tracking_id', 'abc123');IndexedDB Common
A full NoSQL database in the browser. Can store large amounts of structured data. Rarely cleared by users.
const request = indexedDB.open('evercookie_db', 1);
request.onsuccess = (e) => {
const db = e.target.result;
// Store tracking ID in database
};Canvas Fingerprint PNG Sneaky
Encodes the cookie value as RGB pixel colors in a PNG image, then force-caches it. The cookie is read back by drawing the cached image to a canvas and reading pixel values.
// Encode "abc" as RGB: R=97, G=98, B=99
ctx.fillStyle = 'rgb(97, 98, 99)';
ctx.fillRect(0, 0, 1, 1);
// Later, read it back from cached imageHTTP ETag Sneaky
ETags are meant for cache validation but can store tracking IDs. The server sends a unique ETag, and the browser sends it back on subsequent requests.
// Server response:
HTTP/1.1 200 OK
ETag: "tracking_id_abc123"
// Browser's next request:
If-None-Match: "tracking_id_abc123"HSTS Supercookie Advanced
Exploits HSTS (HTTP Strict Transport Security) by encoding bits in subdomain HSTS policies. Each bit is a subdomain that either has HSTS set or not.
// Encoding "5" (binary: 101) across subdomains:
// bit0.tracker.com → HSTS ON (1)
// bit1.tracker.com → HSTS OFF (0)
// bit2.tracker.com → HSTS ON (1)
// Reading: check if browser upgrades each subdomain to HTTPSWeb Cache Sneaky
Stores the tracking ID inside a cached JavaScript or HTML file. When the browser loads the cached version, it contains the ID.
// Server sends with far-future cache headers:
Cache-Control: max-age=31536000
// File contents:
var cached_tracking_id = "abc123";window.name Sneaky
The window.name property persists across page navigations within the same tab, even to different domains. It can store up to 2MB.
window.name = "tracking_id=abc123";
// Survives navigation to other sites in same tab!Flash Cookies (LSO) Deprecated
Flash Local Shared Objects stored data outside the browser's control. Required visiting Adobe's website to clear. Flash is now dead, but was very effective.
// ActionScript:
var so:SharedObject = SharedObject.getLocal("evercookie");
so.data.tracking_id = "abc123";
so.flush();Silverlight Isolated Storage Deprecated
Microsoft's Silverlight plugin had its own storage mechanism, separate from browser storage. Silverlight is now discontinued.
History Stealing Patched
Encoded data in browser history by visiting URLs with the ID in them. Could read back by checking link :visited styles. Browsers have patched this.
// Create history entries:
location = "http://tracker.com/id/a";
location = "http://tracker.com/id/b";
// Read via CSS :visited (now blocked)How Brave Protects Against Evercookies
- Storage Partitioning: Isolates storage per-site, preventing cross-site tracking
- Ephemeral Storage: Third-party storage is cleared when you close the site
- Canvas Fingerprint Randomization: Defeats PNG-based cookie storage
- Blocked HSTS Supercookies: Clears HSTS state for tracking domains
- ETag Stripping: Removes tracking ETags from known trackers
- No Flash/Silverlight: Legacy plugins are completely blocked
Privacy Implications
Evercookies demonstrate a fundamental problem with web privacy: the browser has too many places to store data. Each new API (IndexedDB, Service Workers, Cache API) creates another potential hiding spot for trackers.
While evercookies were originally a proof-of-concept, variations are used in the wild by:
- Advertising networks for cross-site tracking
- Fraud detection systems
- Paywall enforcement
- Government surveillance tools
The best defense is using a privacy-focused browser like Brave that implements storage partitioning and actively blocks known tracking techniques.