A local shared object (LSO), commonly called a Flash cookie (due to its similarity with an
HTTP cookie
HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's w ...
), is a piece of data that websites that use
Adobe Flash
Adobe Flash (formerly Macromedia Flash and FutureSplash) is a multimedia Computing platform, software platform used for production of Flash animation, animations, rich web applications, application software, desktop applications, mobile apps, mo ...
may store on a user's computer. Local shared objects have been used by all versions of
Flash Player
Adobe Flash Player (known in Internet Explorer, Firefox, and Google Chrome as Shockwave Flash) is computer software for viewing multimedia contents, executing rich Internet applications, and streaming audio and video content created on the ...
(developed by Macromedia, which was later acquired by
Adobe Systems
Adobe Inc. ( ), originally called Adobe Systems Incorporated, is an American multinational computer software company incorporated in Delaware
and headquartered in San Jose, California. It has historically specialized in software for the crea ...
) since version 6.
Flash cookies, which can be stored or retrieved whenever a user accesses a page containing a Flash application, are a form of local storage. Similar to cookies, they can be used to store user preferences, save data from
Flash game
A browser game or a "flash game" is a video game that is played via the internet using a web browser. They are mostly free-to-play and can be single-player or multiplayer.
Some browser games are also available as mobile apps, PC games, or on co ...
s, or track users' Internet activity. LSOs have been criticised as a breach of
browser security
Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-si ...
, but there are now browser settings and addons to limit the duration of their storage.
Storage
Local shared objects contain data stored by individual websites. Data is stored in the
Action Message Format
Action Message Format (AMF) is a binary format used to serialize object graphs such as ActionScript objects and XML, or send messages between an Adobe Flash client and a remote service, usually a Flash Media Server or third party alternatives. T ...
. With the default settings, the Flash Player does not seek the user's permission to store local shared objects on the hard disk. By default, an
SWF application running in Flash Player from version 9 to 11 (as of Sept 1, 2011) may store up to of data to the user's hard drive. If the application attempts to store more, a dialog asks the user whether to allow or deny the request.
Adobe Flash Player does not allow third-party local shared objects to be shared across
domains. For example, a local shared object from "www.example.com" cannot be read by the domain "www.example.net".
However, the first-party website can always pass data to a third-party via some settings found in the dedicated
XML
Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing arbitrary data. It defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. T ...
file and passing the data in the request to the third party. Also, third-party LSOs are allowed to store data by default. By default, LSO data is shared across browsers on the same machine. As an example:
* A visitor accesses a site using their Firefox browser, then views a page displaying a specific product, then closes the Firefox browser, the information about that product can be stored in the LSO.
* If that same visitor, using the same machine now opens an Internet Explorer browser and visits any page from the site viewed in Firefox, the site can read the LSO value(s) in the Internet Explorer browser, and display dynamic content or otherwise target the visitor.
This is distinct from cookies which have directory isolated storage paths for saved cookies while LSOs use a common directory path for all browsers on a single machine.
Application to games
Flash games
A browser game or a "flash game" is a video game that is played via the internet using a web browser. They are mostly free-to-play and can be single-player or multiplayer.
Some browser games are also available as mobile apps, PC games, or on co ...
may use LSO files to store the user's personal game data, such as user preferences and actual game progress. Backing up files such as these requires some technical understanding of software. However, both browser updates and programs designed to remove unused files may delete this data.
To prevent cheating, games may be designed to render LSO files unusable if acquired from another location.
Privacy concerns
As with HTTP cookies, local shared objects can be used by websites to collect information on how people navigate them, although users have taken steps to restrict data collection.
Online banks, merchants, or advertisers may use local shared objects for tracking purposes.
On 10 August 2009,
''Wired'' magazine reported that more than half of the top websites used local shared objects to track users and store information about them, but only four of them mentioned it in their privacy policy. "Flash cookies are relatively unknown to web users," the article said, "even if a user thinks they have cleared their computer of tracking objects, they most likely have not." The article further says that some websites use Flash cookies as hidden backups so that they can restore HTTP cookies deleted by users.
According to the ''
New York Times
''The New York Times'' (''the Times'', ''NYT'', or the Gray Lady) is a daily newspaper based in New York City with a worldwide readership reported in 2020 to comprise a declining 840,000 paid print subscribers, and a growing 6 million paid d ...
'', by July 2010 there had been at least five class-action lawsuits in the United States against media companies for using local shared objects.
In certain countries, it is illegal to track users without their knowledge and consent. For example, in the United Kingdom, customers must consent to the use of cookies/local shared objects:
Local shared objects were the first subject to be discussed in the
Federal Trade Commission
The Federal Trade Commission (FTC) is an independent agency of the United States government whose principal mission is the enforcement of civil (non-criminal) antitrust law and the promotion of consumer protection. The FTC shares jurisdiction ov ...
(FTC) roundtable in January 2010. FTC Chairman Jon Leibowitz has been talking with Adobe about what it describes as "the Flash problem."
User control
Users can disable local shared objects using the ''Global Storage Settings panel'' of the online Settings Manager at Adobe's website. However, this places a permanent flash cookie on the computer, informing all other websites that the user does not want flash cookies stored on their computer. Users can opt out of LSOs from specified sites from Flash Player's "Settings", accessed by right-clicking the Player, or using the ''Website Storage Settings'' panel; the latter also allows users to delete local shared objects.
Users may also delete local shared objects either manually or using third-party software. For instance,
CCleaner
CCleaner (, originally Crap Cleaner), developed by Piriform Software, is a utility used to clean potentially unwanted files and invalid Windows Registry entries from a computer. It is one of the longest-established system cleaners, first launc ...
, a standalone computer program for Microsoft Windows and Mac OS X, allows users to delete local shared objects on demand. There is also a
Firefox add-on, Clear Flash Cookies, which will automatically clear out all LSOs each time the browser is restarted.
Since version 10.3 of Flash, the Online Settings Manager (letting users configure privacy and security permissions via Adobe's website) is superseded by the Local Settings Manager on Windows, Mac, and Linux platforms. It can be accessed via the
Windows Control Panel
The Control Panel is a component of Microsoft Windows that provides the ability to view and change system settings. It consists of a set of List of Control Panel applets (Windows), applets that include adding or removing Personal computer hardware, ...
or
Mac OS System Preferences. Users of other operating systems still use the Adobe Online Settings Manager. Since at least April 2012 (v 11.2.202.233), updating by downloading a new Flash version resets the security and privacy settings to the defaults of allowing
local storage and asking for media access again, which may be against users' wishes.
Browser control
Browser control refers to the web browser's ability to delete local shared objects and to prevent the creation of persistent local shared objects when
privacy mode
Private browsing is a privacy feature in some web browsers. When operating in such a mode, the browser creates a temporary session that is isolated from the browser's main session and user data. Browsing history is not saved, and local data as ...
is enabled. As for the former,
Internet Explorer 8
Windows Internet Explorer 8 (IE8) is a web browser for Windows. It was released by Microsoft on March 19, 2009, as the eighth version of Internet Explorer and the successor to Internet Explorer 7. It was the default browser in Windows 7 (later def ...
, released on March 19, 2009,
implements an
API
An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software Interface (computing), interface, offering a service to other pieces of software. A document or standa ...
that allows
browser extension
A browser extension is a small software module for customizing a web browser. Browsers typically allow a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and styling of web p ...
s to co-operate with the browser and delete their persistent data stored when user issues a ''Delete Browsing History'' command. However, two years passed since its introduction until Adobe, on March 7, 2011, announced that Flash Player v10.3, which was still in development at the time, supports co-operating with Internet Explorer 8 or later to delete local shared objects.
Also on January 5, 2011, Adobe Systems,
Google Inc.
Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. I ...
, and
Mozilla Foundation
The Mozilla Foundation (stylized as moz://a) is an American non-profit organization that exists to support and collectively lead the open source Mozilla project. Founded in July 2003, the organization sets the policies that govern development, ...
finalized a new browser API (dubbed ''NPAPI ClearSiteData''). This will allow browsers implementing the API to clear local shared objects.
Four months later, Adobe announced that Flash Player 10.3 enables
Mozilla Firefox 4
Mozilla Firefox 4 is a version of the Firefox web browser, released on March 22, 2011. The first beta was made available on July 6, 2010; Release Candidate 2 (a base for the final version) was released on March 18, 2011. It was codenamed Tumu ...
and "future releases of
Apple Safari
Safari is a web browser developed by Apple. It is built into macOS, iOS, and iPadOS, and uses Apple's open-source browser engine, WebKit, which was derived from KHTML.
Safari was introduced in Mac OS X Panther in January 2003. It was inclu ...
and
Google Chrome
Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS ...
" to delete local shared objects,
so since version 4, Firefox treats LSOs the same way as
HTTP cookie
HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's w ...
s - deletion rules that previously applied only to HTTP cookies now also apply to LSOs.
This caused loss of data and backward-incompatible flash application behavior
for those Firefox and Flash users who used HTTP cookies and Flash local shared objects for different goals. Mainly this affected flash gamers, who rely on Flash LSOs to store saved games.
The resulting support requests cannot be solved favorably for
Mozilla Firefox
Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and a ...
users without changes to the browser, because of the introduced equivalence between HTTP and flash cookies.
Currently, the workaround in use is to either configure the browser to never clear history data and cookies or to
revert the part of the changes affecting this use case, using third-party patches.
As for the behavior in browser's privacy mode, Adobe Flash Player 10.1, released on June 10, 2010, supports the privacy modes of
Internet Explorer
Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...
,
Mozilla Firefox
Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and a ...
,
Google Chrome
Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS ...
, and
Safari
A safari (; ) is an overland journey to observe wild animals, especially in eastern or southern Africa. The so-called "Big Five" game animals of Africa – lion, leopard, rhinoceros, elephant, and Cape buffalo – particularly form an importa ...
. Local shared objects created in privacy are discarded at the end of the session. Those created in a regular session are also not accessible in privacy mode.
Third-party software
Viewers and editors
Libraries and frameworks
Cleaners
See also
*
HTTP cookie
HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's w ...
*
Evercookie
Evercookie (also known as supercookie) is a JavaScript application programming interface (API) that identifies and reproduces intentionally deleted cookies on the clients' browser storage. It was created by Samy Kamkar in 2010 to demonstrate the ...
*
Web storage
Web storage, sometimes known as DOM storage (Document Object Model storage), is a standard JavaScript API provided by web browsers. It enables websites to store persistent data on users' devices similar to cookies, but with much larger capacity ...
*
Indexed Database API
The Indexed Database API (commonly referred to as IndexedDB) is a JavaScript application programming interface (API) provided by web browsers for managing a NoSQL database of JSON objects. It is a standard maintained by the World Wide Web Cons ...
*
Web SQL Database
Web SQL Database is a deprecated web browser API specification for storing data in databases that can be queried using SQL variant.
The API is supported by Google Chrome, Opera, Microsoft Edge, and the Android Browser, albeit support is slowly be ...
*
Google Gears
*
Device fingerprint
A device fingerprint or machine fingerprint is information collected about the software and hardware of a remote computing device for the purpose of identification. The information is usually assimilated into a brief identifier using a fingerprinti ...
*
Canvas fingerprinting
Canvas fingerprinting is one of a number of browser fingerprinting techniques for tracking online users that allow websites to identify and track visitors using the HTML5 canvas element instead of browser cookies or other similar means. The techni ...
References
External links
Adobe's online toolon its Web site to erase Flash cookies and manage Flash player settings
What are local shared objects? Adobe Flash Player security and privacy help
*
*
How to block Flash cookies*
ttps://www.bbc.co.uk/news/technology-10787882 Legal action on 'zombie cookies' filed in US court
{{Adobe Flash
Adobe Flash
Internet privacy
Surveillance