Local Shared Object
Encyclopedia
Local Shared Objects commonly called flash cookies (due to their similarities with HTTP cookie
s) are pieces of data that websites which use Adobe Flash
may store on a user's computer. Local Shared Objects are used by all versions of Adobe Flash Player
and Version 6 and above of Macromedia's now-obsolete Flash Player.
While websites may use Local Shared Objects for purposes such as storing user preferences, there have been privacy concerns regarding Local Shared Objects.
application running in Flash Player from version 9 to 11 (as of Sept 1, 2011) may store up to of data to user's hard drive. If the application attempts to store more data than the allotted default, the user is shown a dialog to allow or deny the request for more storage space.
Adobe Flash Player does not allow 3rd-party Local Shared Objects to be shared across domain
s. For example, a Local Shared Object from "www.example.com" cannot be read by the domain "www.example2.com". However the first party website can always pass data to third party via some settings found in the dedicated XML
file and passing the data in the request to the third party. Also third party LSO are allowed to store data by default.
Users may also delete Local Shared Objects either manually or using third-party software. For instance, BetterPrivacy, a Firefox add-on, or CCleaner
, a standalone computer program for Microsoft Windows, allow users to delete Local Shared Objects on demand.
is enabled. As for the former, Internet Explorer 8
, released on 19 March 2009, implements an API that allows browser extension
s to co-operate with the browser and delete their persistent data stored when user issues a Delete Browsing History command. However, two years passed since its introduction until Adobe, on 7 March 2011, announced that Flash Player v10.3, which was still in development at the time, supports co-operating with Internet Explorer 8 or later to delete Local Shared Objects.
Also on 5 January 2011, Adobe Systems, Google Inc., and Mozilla Foundation
finalized a new browser API (dubbed NPAPI ClearSiteData). This will allow browsers implementing the API to clear Local Shared Objects. Four months later, Adobe announced that Flash Player 10.3 enables Mozilla Firefox 4
and "future releases of Apple Safari and Google Chrome
" to delete Local Shared Objects.
The actual use of this new feature in Firefox remained consistent for all versions up to and including Mozilla Firefox 7: it changed the cookie concept to include LSOs, and therefore the same rules for deletion that in previous versions applied only to HTTP Cookie
s, would now apply to Flash LSOs as well.
This caused loss of data and backward-incompatible flash application behavior
for those Firefox and Flash users which used HTTP cookies and Flash Local Shared Objects for different goals.
Mainly this had an impact on the flash gaming community, which relies heavily on Flash LSOs to store saved games.
The resulting support requests cannot be solved favorably for the Mozilla Firefox
users without changes to the browser, because of the introduced equivalence between HTTP and Adobe Flash
cookies. . Currently the workaround in use is to either configure the browser to never clear history data and cookies, or to revert
the part of the changes affecting this use case, using third-party patches.
As for the behavior in browser's privacy mode, Adobe Flash Player 10.1, released on 10 June 2010, supports the privacy modes of Internet Explorer, Mozilla Firefox, Google Chrome and Safari. Local Shared Objects created in privacy are discarded at the end of the session. Those created in a regular session are also not accessible in privacy mode.
On Microsoft Windows
NT 5.x, they are stored in:
On Microsoft Windows
NT 6.x, they are stored in:
On Mac OS X
, they are stored in:
On Linux
or Unix
, they are stored in:
For Linux and Unix systems, if the open-source Gnash plugin is being used instead of the official Adobe Flash, they will instead be found at:
On 10 August 2009, Wired magazine
reported that more than half of the top websites used Local Shared Objects to track users and store information about them but only four of them mentioned it in their privacy policy. "Flash cookies are relatively unknown to web users," it said, "even if a user thinks they have cleared their computer of tracking objects, they most likely have not." The article further asserts that some websites use Flash cookies as hidden backups, so that they can revive HTTP cookies when user deletes them.
According to New York Times, since July 2010, there had been at least five class-action lawsuits in the United States against media companies for using Local Shared Objects.
In certain countries it is illegal to track users without their knowledge and consent. For example, in the United Kingdom, customers must consent to use of cookies/Local Shared Objects:
Local Shared Objects were the first subject to be discussed in the Federal Trade Commission roundtable in January 2010. FTC Chairman Jon Leibowitz has been talking with Adobe about what it describes as "the Flash problem."
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
s) are pieces of data that websites which use Adobe Flash
Adobe Flash
Adobe Flash is a multimedia platform used to add animation, video, and interactivity to web pages. Flash is frequently used for advertisements, games and flash animations for broadcast...
may store on a user's computer. Local Shared Objects are used by all versions of Adobe Flash Player
Adobe Flash Player
The Adobe Flash Player is software for viewing multimedia, Rich Internet Applications and streaming video and audio, on a computer web browser or on supported mobile devices. Flash Player runs SWF files that can be created by the Adobe Flash authoring tool, by Adobe Flex or by a number of other...
and Version 6 and above of Macromedia's now-obsolete Flash Player.
While websites may use Local Shared Objects for purposes such as storing user preferences, there have been privacy concerns regarding Local Shared Objects.
Storage
Local Shared Objects contain data stored by individual websites. With the default settings, the Flash Player does not seek the user's permission to store Local Shared Objects on the hard disk. By default, a SWFSWF
SWF is an Adobe Flash file format used for multimedia, vector graphics and ActionScript. Originating with FutureWave Software, then transferred to Macromedia, and then coming under the control of Adobe, SWF files can contain animations or applets of varying degrees of interactivity and function.,...
application running in Flash Player from version 9 to 11 (as of Sept 1, 2011) may store up to of data to user's hard drive. If the application attempts to store more data than the allotted default, the user is shown a dialog to allow or deny the request for more storage space.
Adobe Flash Player does not allow 3rd-party Local Shared Objects to be shared across domain
Domain name
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
s. For example, a Local Shared Object from "www.example.com" cannot be read by the domain "www.example2.com". However the first party website can always pass data to third party via some settings found in the dedicated XML
XML
Extensible Markup Language is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards....
file and passing the data in the request to the third party. Also third party LSO are allowed to store data by default.
User control
Users can disable Local Shared Objects using the Global Storage Settings panel of the online Settings Manager at Adobe's website.. However, using this feature will permanently place a flash cookie on the user's computer, informing all other websites that the user does not want flash cookies stored on their computer. Users can also opt-out of them on a per-site basis by right-clicking the Flash player and selecting 'Settings' or using Website Storage Settings panel. The latter also allows users to delete Local Shared Objects.Users may also delete Local Shared Objects either manually or using third-party software. For instance, BetterPrivacy, a Firefox add-on, or CCleaner
CCleaner
CCleaner , developed by Piriform is a Utility program used to clean potentially unwanted files and invalid Windows Registry entries from a computer...
, a standalone computer program for Microsoft Windows, allow users to delete Local Shared Objects on demand.
Browser control
Browser control refers to the web browser's ability to delete Local Shared Objects and to prevent the creation of persistent Local Shared Objects when privacy modePrivacy mode
Privacy mode, sometimes informally referred to as "porn mode", or "private browsing" is a term that refers to privacy features in some web browsers. Historically speaking, web browsers store information such as browsing history, images, videos and text within cache...
is enabled. As for the former, Internet Explorer 8
Internet Explorer 8
Windows Internet Explorer 8 is a web browser developed by Microsoft in the Internet Explorer browser series. The browser was released on March 19, 2009 for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. Both 32-bit and 64-bit builds are available...
, released on 19 March 2009, implements an API that allows browser extension
Browser extension
A browser extension is a computer program that extends the functionality of a web browser in some way. Depending on the browser and the version, the term may be distinct from similar terms such as plug-in or add-on. Mozilla Firefox was designed with the idea of being a small and simple web browser,...
s to co-operate with the browser and delete their persistent data stored when user issues a Delete Browsing History command. However, two years passed since its introduction until Adobe, on 7 March 2011, announced that Flash Player v10.3, which was still in development at the time, supports co-operating with Internet Explorer 8 or later to delete Local Shared Objects.
Also on 5 January 2011, Adobe Systems, Google Inc., and Mozilla Foundation
Mozilla Foundation
The Mozilla Foundation is a non-profit organization that exists to support and provide leadership for the open source Mozilla project. The organization sets the policies that govern development, operates key infrastructure and controls trademarks and other intellectual property...
finalized a new browser API (dubbed NPAPI ClearSiteData). This will allow browsers implementing the API to clear Local Shared Objects. Four months later, Adobe announced that Flash Player 10.3 enables Mozilla Firefox 4
Mozilla Firefox 4
Mozilla Firefox 4 is a version of the Firefox web browser, released on 22 March 2011. The first beta was made available on 6 July 2010; Release Candidate 2 was released on 18 March 2011. It was codenamed Tumucumaque, and has been confirmed as Firefox's last large release cycle...
and "future releases of Apple Safari and Google Chrome
Google Chrome
Google Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
" to delete Local Shared Objects.
The actual use of this new feature in Firefox remained consistent for all versions up to and including Mozilla Firefox 7: it changed the cookie concept to include LSOs, and therefore the same rules for deletion that in previous versions applied only to HTTP Cookie
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
s, would now apply to Flash LSOs as well.
This caused loss of data and backward-incompatible flash application behavior
for those Firefox and Flash users which used HTTP cookies and Flash Local Shared Objects for different goals.
Mainly this had an impact on the flash gaming community, which relies heavily on Flash LSOs to store saved games.
The resulting support requests cannot be solved favorably for the Mozilla Firefox
Mozilla Firefox
Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
users without changes to the browser, because of the introduced equivalence between HTTP and Adobe Flash
Adobe Flash
Adobe Flash is a multimedia platform used to add animation, video, and interactivity to web pages. Flash is frequently used for advertisements, games and flash animations for broadcast...
cookies. . Currently the workaround in use is to either configure the browser to never clear history data and cookies, or to revert
Reversion (software development)
In software development , reversion or reverting is the abandonment of one or more recent changes in favor of a return to a previous version of the material at hand In software development (and by extension in content editing environments, especially wikis, that make use of the software development...
the part of the changes affecting this use case, using third-party patches.
As for the behavior in browser's privacy mode, Adobe Flash Player 10.1, released on 10 June 2010, supports the privacy modes of Internet Explorer, Mozilla Firefox, Google Chrome and Safari. Local Shared Objects created in privacy are discarded at the end of the session. Those created in a regular session are also not accessible in privacy mode.
File locations
The default storage location for Local Shared Objects is operating system-dependent.On Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
NT 5.x, they are stored in:
- %APPDATA%\Macromedia\Flash Player\#SharedObjects\
- %APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\
On Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
NT 6.x, they are stored in:
- %APPDATA%\Macromedia\Flash Player\#SharedObjects\
- %APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\
On Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
, they are stored in:
- ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/
- ~/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/
On Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
or Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
, they are stored in:
- ~/.macromedia/Flash_Player/#SharedObjects/
- ~/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/
For Linux and Unix systems, if the open-source Gnash plugin is being used instead of the official Adobe Flash, they will instead be found at:
- ~/.gnash/SharedObjects/
Privacy concerns
As with HTTP cookies, Local Shared Objects can be used by web sites to collect information on how people navigate those web sites even if people believe they have restricted the data collection. Online banks, merchants or advertisers may use Local Shared Objects for tracking purposes.On 10 August 2009, Wired magazine
Wired (magazine)
Wired is a full-color monthly American magazine and on-line periodical, published since January 1993, that reports on how new and developing technology affects culture, the economy, and politics...
reported that more than half of the top websites used Local Shared Objects to track users and store information about them but only four of them mentioned it in their privacy policy. "Flash cookies are relatively unknown to web users," it said, "even if a user thinks they have cleared their computer of tracking objects, they most likely have not." The article further asserts that some websites use Flash cookies as hidden backups, so that they can revive HTTP cookies when user deletes them.
According to New York Times, since July 2010, there had been at least five class-action lawsuits in the United States against media companies for using Local Shared Objects.
In certain countries it is illegal to track users without their knowledge and consent. For example, in the United Kingdom, customers must consent to use of cookies/Local Shared Objects:
Local Shared Objects were the first subject to be discussed in the Federal Trade Commission roundtable in January 2010. FTC Chairman Jon Leibowitz has been talking with Adobe about what it describes as "the Flash problem."
Editors and toolkits
Software | Developer | Operating system | First public release | Latest stable version | License |
---|---|---|---|---|---|
BetterPrivacy | Ingo Krüger | Linux, BSD, Mac OS X, Windows (Firefox/SeaMonkey SeaMonkey SeaMonkey is a free and open source cross-platform Internet suite. It is the continuation of the former Mozilla Application Suite, based on the same source code... addon Mozilla Add-ons Mozilla Add-ons is the official Mozilla Foundation website to act as a repository for add-ons for Mozilla software, including Mozilla Firefox, Mozilla Thunderbird, SeaMonkey, and Mozilla Sunbird. These add-ons include extensions, themes, dictionaries, search bar "search engines," and plugins... ) |
? | 1.63 | ? |
Dojo Toolkit Dojo Toolkit Dojo Toolkit is an open source modular JavaScript library designed to ease the rapid development of cross-platform, JavaScript/Ajax-based applications and web sites. It was started by Alex Russell, Dylan Schiemann, David Schontzler, and others in 2004 and is dual-licensed under the modified BSD... |
Dojo Foundation | 2004 | 1.3.2 (2009-7-16) | ||
MAXA Cookie Manager | Maxa Research | Windows | 3.2 (2009-02-02) | ||
.minerva | Gabriel Mariani | 3.3.0 (2011-03-27) | |||
PyAMF | Nick Joyce | 2007-10-07 | 0.6b (2010-08-11) | ||
.sol Editor | Alexis Isaac | Windows | 2005-02 | 1.1.0.1 (2005-02-21) | |
SOLReader | Alessandro Crugnola | Windows | |||
SolVE | Darron Schall | Windows, Mac OS X | 2004-09 | 0.2 (2004-10-15) | |
s2x | Aral Balkan | 2005-07-15 | |||
Click&Clean | Linux, BSD, Mac OS X, Windows (Firefox/SeaMonkey SeaMonkey SeaMonkey is a free and open source cross-platform Internet suite. It is the continuation of the former Mozilla Application Suite, based on the same source code... addon Mozilla Add-ons Mozilla Add-ons is the official Mozilla Foundation website to act as a repository for add-ons for Mozilla software, including Mozilla Firefox, Mozilla Thunderbird, SeaMonkey, and Mozilla Sunbird. These add-ons include extensions, themes, dictionaries, search bar "search engines," and plugins... ) |
External links
- Adobe's online tool on its Web site to erase Flash cookies and manage Flash player settings
- How to create SharedObjects in 10 minutes
- How to block Flash cookies
- Electronic Privacy Information Center on "Local Shared Objects"
- Legal action on 'zombie cookies' filed in US court