Difficulty: Beginner & Advanced
What are super cookies? They are similar to normal cookies except they are nearly impossible to erase. Cookies normally store a small piece of information, usually a unique identifier, in your browser’s cookie jar. That cookie is then sent back to those websites as you browse the internet. Super cookies though are a bit more malicious in how they operate. Instead of simply placing a cookie in the cookie jar, they store the cookies using alternative methods, some of which are tricks, manipulation and misuse of your browsers features. Because of this shotgun approach and unorthodox storage methods, there is no simple way to clear or remove all traces of the cookie. In some scenarios, even switching browsers or using privacy mode won’t protect you. These super cookies are designed to prevent you from being able to delete them. If you clear your cookies like normal, a lurking identifier stored using another method will be used to repopulate the cookie you deleted with the same unique identifier. Needless to say, super cookies are a huge violation of your privacy.
These are such a concern that the European Union passed legislation to help prevent websites from using these deceptive tracking cookie practices without explicit permission.
In American, we are seeing a few major companies try and dip their toes into using supercookies. The biggest and most aggressive violator has been Verizon. If that wasn’t bad enough, Verizon’s super cookie is now being merged with AOL’s ad network.
Verizon is also adding a super cookie like identifier to your HTTP headers without your knowledge. I wrote another article about this that I recommend you check out, especially if you are using Verizon.[TODO Link] Make sure you have these settings turned off!
For a short period, AT&T was testing out super cookies but stopped after pubic out lash.
As of August 2015, researchers have found that super cookies are now in use by multiple telecom companies outside the U.S.
Unfourtaintly, There is no good way to block or erase these super cookies. If you are tech savvy, you may be able to take some steps to mitigate them (you’d have to test what it would take to entirely block or remove evercookie). You are really at the mercy of the websites which implement super cookies. They’d have to provide you a way to opt-out, and they normally don’t.
If you are interested in the technical details of how these cookies are stored, I suggest you get hands on with some examples. Samy Kamkar has put together a great project called evercookie that clearly demonstrates over a dozen methods for storing a super cookie on a visitor’s computer. I don’t recommend you implement this on your site, but I do think it is an excellent academic & research project.