explaingit

samyk/evercookie

4,720JavaScriptAudience · developerComplexity · 3/5Setup · moderate

TLDR

Evercookie is a JavaScript research library that stores a tracking identifier in over a dozen browser locations simultaneously so that clearing standard cookies alone cannot remove it, a technical demonstration of browser storage depth.

Mindmap

mindmap
  root((evercookie))
    What it does
      Persistent tracking ID
      Multi-storage sync
    Storage locations
      HTTP cookies
      Local storage
      Canvas PNG
    Backend
      PHP ETag scripts
      Cache headers
    Use Cases
      Security research
      Privacy testing
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Study how many separate storage mechanisms exist in a browser by examining Evercookie's source code.

USE CASE 2

Test your browser's privacy tools by seeing which storage locations survive a cookie-deletion pass.

USE CASE 3

Use as a reference to understand which browser APIs can be exploited for persistent storage.

USE CASE 4

Build a privacy-auditing tool that checks which Evercookie storage mechanisms your browser has already patched.

Tech stack

JavaScriptPHP

Getting it running

Difficulty · moderate Time to first run · 30min

Some mechanisms require a PHP server for ETag, cache, and canvas PNG backends, Java cross-browser features need a companion repository.

In plain English

Evercookie is a JavaScript library that creates extremely persistent tracking identifiers in a browser. It stores a unique value across as many browser storage locations as possible at once, so that even if a user deletes their standard cookies, Flash cookies, or HTML5 storage, the identifier can be restored from any copy that survives. The approach works by writing the same value to more than a dozen different places: standard HTTP cookies, HTML5 local and session storage, IndexedDB, Flash Local Shared Objects, Silverlight isolated storage, HTTP ETags, browser cache, canvas PNG data, and more. If any one of those copies survives a cleanup, evercookie reads it and re-writes the value to all the others. The result is that clearing cookies in the usual way does not actually remove the identifier. Some mechanisms require a server-side component. The repository includes PHP scripts for the ETag, cache, and canvas PNG backends. Node.js and Django ports exist as separate projects. The Java-based mechanisms, which can even share identifiers across different browsers on the same machine, are maintained in a companion repository. The library is a research and demonstration project by Samy Kamkar. The README is direct about the risks: some mechanisms load Flash or Silverlight on page load, which can slow older machines significantly, and the CSS history approach can trigger a large number of HTTP requests. The author notes that using evercookie on real websites can damage user trust and reputation. Browser vendors have steadily closed many of the storage loopholes this project relies on, so a number of mechanisms no longer work in modern browsers. Several future ideas are listed in the README as unimplemented. The project is best understood as a technical demonstration of how many separate browser storage locations exist, rather than a tool meant for production use.

Copy-paste prompts

Prompt 1
Using samyk/evercookie as a reference, list all the browser storage locations it writes to and explain which ones modern browsers have blocked.
Prompt 2
I want to understand how ETag-based tracking works. Based on the evercookie codebase, explain the technique and show me the PHP backend code that enables it.
Prompt 3
How does evercookie restore a deleted identifier using canvas PNG data? Walk me through the JavaScript mechanism step by step.
Prompt 4
I'm building a privacy audit tool. Using evercookie as a reference, write a JavaScript function that checks which browser storage APIs are available and writable.
Open on GitHub → Explain another repo

← samyk on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.