I logged into a website on two separate instances with a different ID and a
different IP. I rebooted my router so the IP changed each time, but from the
same machine – trying to create a second account for my brother. I also had all
cookies deleted and forbid the specific site from downloading more into my
machine. The website actually was able to find out that this was me logging in
with different IDs. My question is: how can the website (even after taking all
these measures) know that it’s still me?
In this excerpt from
Answercast #33, I look at the many methods that websites can use to remember
who you are; leaving any one of them in place could result in them remembering
Website knows it’s me
It’s surprising that a website would go to these lengths, but it’s certainly possible.
Now, there are a couple of things that I would immediately jump on.
- One is are you really sure you got a different IP?
Typically, rebooting a router will not necessarily assign you a new IP address. It depends on your ISP. Sometimes, they do; sometimes, they don’t.
In my case, my experience has been that when you reboot your router, nine times out of ten you get the same IP address you had five minutes ago. So that may or may not have been part of what’s leading into this.
The other thing that immediately comes to mind is something called Flash cookies.
You’ve cleared your cookies; and I know that you know how to go into the browser and clear the cookies. But in fact, using Flash, there is a different kind of persistent storage that web pages can use Flash to access.
- They can use Flash to drop the equivalent of a cookie.
In fact, we tend to refer to them as “Flash cookies” because they are data left by Adobe Flash technology. It’s possible that the website could be using Flash cookies. You simply didn’t clear them because you didn’t know – most people don’t. So that’s something else to try.
I believe CCleaner will actually clear Flash cookies for you. If you don’t want to use that, there are other approaches to clearing Flash cookies, even by using some applications available at the Adobe website.
Just Google “clear Flash cookies” and you’ll come up with a bunch of ways to do that.
Finally (and this is a little bit more off the slightly-paranoid spectrum), if you look into a technology that I think was called “Super Cookies,” they use about ten different technologies to save a piece of information on your computer.
Now I just mentioned Flash cookies; so obviously, if a site uses Flash cookies that means that if you erase your regular cookies, the information is still there.
Conversely, if you know about Flash cookies and erase those, but don’t erase your regular cookies, the information is still there.
Multiply that by 10. In other words, have 10 different technologies that this Super Cookie technology can use, and there are several different ways to leave something on your machine that can readily identify it as being you.
I’m not aware of any websites that use this. This is really, pretty arcane stuff. A lot of it was done as ‘proof of concept’ as to how easy it is to do. But in reality, I don’t see anybody actually doing it.
I think, to get a little deeper into your problem would probably require understanding what website it is you’re trying to access as well.
But that’s what comes to mind.
End of Answercast #33 Back to – Audio Segment
2 comments on “I cleared cookies and more, so how did a web site still know it was me?”
Using Firefox, flash cookies can very easily be cleared with the add-on Better Privacy. The first time I fired up Better Privacy I was shocked at how many flash cookies (LSO’s) were on my machine, and also at which websites had placed them there. There are different settings that will clear them at a variety of options, e.g. opening or exiting the browser, and you can exclude ones you want to keep from deletion. It is my understanding that LSO’s / flash cookies are not harmless.
Interesting and a bit ironic. vid.askleomedia.com has a LSO on my system. It’s only a little one and I think I’ll let it stay.