Jump to content

Local shared object: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Adding mention of Objection so that the options mentioned aren't limited to just the proprietary-licensed one.
Apologies, inadvertantly left the footnote in the wrong place. Correcting that.
Line 22: Line 22:
Local Shared Objects are not temporary files. Users can only opt-out of Local Shared Objects globally by using the ''Global Storage Settings panel''<ref>{{cite web|url=http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html |title=Adobe - Flash Player : Settings Manager - Global Storage Settings Panel |publisher=Macromedia.com |date= |accessdate=2009-03-27}}</ref> of the online Settings Manager at Adobe's website. Users can also opt-out of them on a per-site basis by right-clicking the Flash player and selecting 'Settings'.
Local Shared Objects are not temporary files. Users can only opt-out of Local Shared Objects globally by using the ''Global Storage Settings panel''<ref>{{cite web|url=http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html |title=Adobe - Flash Player : Settings Manager - Global Storage Settings Panel |publisher=Macromedia.com |date= |accessdate=2009-03-27}}</ref> of the online Settings Manager at Adobe's website. Users can also opt-out of them on a per-site basis by right-clicking the Flash player and selecting 'Settings'.


[[Adobe Systems|Adobe]]'s online-only ''Website Storage Settings'' panel was created to let users view and delete LSOs on a per-domain basis. It is also possible to completely disallow LSOs from a specific domain by setting the storage space to "0 KB",<ref>{{cite web|url=http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html |title=Adobe - Flash Player : Settings Manager - Website Storage Settings panel |publisher=Macromedia.com |date= |accessdate=2009-03-27}}</ref> however, although no data is stored, empty directories with the name of the domain are nonetheless created. Add-on [[Firefox extension|extensions]] that allow the user to view and delete LSOs have also been created for the [[Firefox]] [[Web browser]], e.g. ''BetterPrivacy'' (proprietary) and Greg Yardley's "Objection" (open source).<ref name="betterprivacy">{{cite web| title=Seven Firefox add-ons that improve online privacy |url=http://www.macworld.com/article/147054/2010/03/firefox_privacy.html?lsrc=nl_mwweek_h_cbstories |author= Joseph Guarino, CSO |date= 2010-03-12 |work= [[Macworld]] | accessdate=2010-05-24}}</ref> Though, extensions like this only periodically purge newly (re-)created LSOs. If a user wants to completely prohibit any creation of LSO's on their machine, a good idea is to set security permissions for the main folders LSOs are stored in (for Windows systems those are the folders contained in %APPDATA%\Macromedia\Flashplayer). For example, one could remove all users except themself from the access list for those folders and set only 'list folder contents' permissions for themself, removing permissions to write, modify, execute, or read files (additionally, an explicit prohibition for write actions might be set). In this way no one, even the remaining user from the access list, would be able to create, write, modify, execute, or read any files to/from the folders in subject, but since the user from the access list is the owner of the folder (this should be checked before saving the modified permissions!), they might change any folder permissions in future, if needed. Before applying this approach, users shouldn't forget to purge the contents of the folders they are applying new permissions to, and to check for LSOs in the remaining folders (listed below). This example is based on the Windows XP OS, but is generally appropriate for any OS.
[[Adobe Systems|Adobe]]'s online-only ''Website Storage Settings'' panel was created to let users view and delete LSOs on a per-domain basis. It is also possible to completely disallow LSOs from a specific domain by setting the storage space to "0 KB",<ref>{{cite web|url=http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html |title=Adobe - Flash Player : Settings Manager - Website Storage Settings panel |publisher=Macromedia.com |date= |accessdate=2009-03-27}}</ref> however, although no data is stored, empty directories with the name of the domain are nonetheless created. Add-on [[Firefox extension|extensions]] that allow the user to view and delete LSOs have also been created for the [[Firefox]] [[Web browser]], e.g. ''BetterPrivacy''<ref name="betterprivacy">{{cite web| title=Seven Firefox add-ons that improve online privacy |url=http://www.macworld.com/article/147054/2010/03/firefox_privacy.html?lsrc=nl_mwweek_h_cbstories |author= Joseph Guarino, CSO |date= 2010-03-12 |work= [[Macworld]] | accessdate=2010-05-24}}</ref> (proprietary) and Greg Yardley's "Objection" (open source). Though, extensions like this only periodically purge newly (re-)created LSOs. If a user wants to completely prohibit any creation of LSO's on their machine, a good idea is to set security permissions for the main folders LSOs are stored in (for Windows systems those are the folders contained in %APPDATA%\Macromedia\Flashplayer). For example, one could remove all users except themself from the access list for those folders and set only 'list folder contents' permissions for themself, removing permissions to write, modify, execute, or read files (additionally, an explicit prohibition for write actions might be set). In this way no one, even the remaining user from the access list, would be able to create, write, modify, execute, or read any files to/from the folders in subject, but since the user from the access list is the owner of the folder (this should be checked before saving the modified permissions!), they might change any folder permissions in future, if needed. Before applying this approach, users shouldn't forget to purge the contents of the folders they are applying new permissions to, and to check for LSOs in the remaining folders (listed below). This example is based on the Windows XP OS, but is generally appropriate for any OS.


==File locations==
==File locations==

Revision as of 03:48, 30 September 2010

Local Shared Objects (LSO), commonly called flash cookies, are collections of cookie-like data stored as a file on a user's computer. LSOs are used by all versions of Adobe Flash Player and Version 6 and above of Macromedia's now-obsolete Flash MX Player.[1]

Storage

Flash Players use a sandbox security model. With the default settings, Adobe Flash Player does not seek the user's permission to store LSO files on the hard disk. LSOs contain cookie-like data stored by individual web sites or domains. Indeed, as with cookies, online banks, merchants or advertisers may use LSOs for tracking purposes.[2]

The current version of Flash does not allow LSOs to be shared across domains. For example, an LSO from "www.example.com" cannot read an LSO created by the domain "www.example2.com".[3]

Privacy concerns

LSOs can be used by web sites to collect information on how people navigate those web sites even if people believe they have restricted the data collection.[4] More than half of the internet’s top websites use LSOs to track users and store information about them.[5] There is relatively little public awareness of LSOs, and they can usually not be deleted by the cookie privacy controls in a web browser.[5] This may lead a web user to believe a computer is cleared of tracking objects, when it is not.[5]

Several services even use LSOs as surreptitious data storage to reinstate traditional cookies that a user deleted, a policy called "re-spawning" in homage to video games where adversaries come back to life even after being "killed". So, even if a user gets rid of a website’s tracking cookie, that cookie’s unique ID will be assigned back to a new cookie again using the Flash data as "backup." [6] In USA, at least five class-action lawsuits have accused media companies of surreptitiously using Flash cookies.[7]

In certain countries it is illegal to track users without their knowledge and consent. For example, in the UK, customers must consent to use of cookies/LSOs as defined in the “Guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003”:[8]

Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:

  • is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
  • is given the opportunity to refuse the storage of, or access to, that information.

User control

Local Shared Objects are not temporary files. Users can only opt-out of Local Shared Objects globally by using the Global Storage Settings panel[9] of the online Settings Manager at Adobe's website. Users can also opt-out of them on a per-site basis by right-clicking the Flash player and selecting 'Settings'.

Adobe's online-only Website Storage Settings panel was created to let users view and delete LSOs on a per-domain basis. It is also possible to completely disallow LSOs from a specific domain by setting the storage space to "0 KB",[10] however, although no data is stored, empty directories with the name of the domain are nonetheless created. Add-on extensions that allow the user to view and delete LSOs have also been created for the Firefox Web browser, e.g. BetterPrivacy[11] (proprietary) and Greg Yardley's "Objection" (open source). Though, extensions like this only periodically purge newly (re-)created LSOs. If a user wants to completely prohibit any creation of LSO's on their machine, a good idea is to set security permissions for the main folders LSOs are stored in (for Windows systems those are the folders contained in %APPDATA%\Macromedia\Flashplayer). For example, one could remove all users except themself from the access list for those folders and set only 'list folder contents' permissions for themself, removing permissions to write, modify, execute, or read files (additionally, an explicit prohibition for write actions might be set). In this way no one, even the remaining user from the access list, would be able to create, write, modify, execute, or read any files to/from the folders in subject, but since the user from the access list is the owner of the folder (this should be checked before saving the modified permissions!), they might change any folder permissions in future, if needed. Before applying this approach, users shouldn't forget to purge the contents of the folders they are applying new permissions to, and to check for LSOs in the remaining folders (listed below). This example is based on the Windows XP OS, but is generally appropriate for any OS.

File locations

The default storage location for LSO files is operating system-dependent. LSO files are typically stored with a ".SOL" extension, within each User's directory. Note that for self-executing flash applications run on the local machine will show up as being run on a website, in the folder localhost.

  • Windows XP:
    • %APPDATA%\Macromedia\Flash Player\#SharedObjects\<random code>\<domain>\<path - maybe°>\<object name>.sol
    • %APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
    • C:\WINDOWS\system32\Macromed\[subdirectories]\filename.sol
    • For AIR Applications: %APPDATA%\<AIR Application Reverse Domain Name>\Local Store\#SharedObjects\<flash filename>.swf\<object name>.sol
  • Windows Vista and later:
    • For Web sites: %APPDATA%\Macromedia\Flash Player\#SharedObjects\<random code>\<domain>\<path - maybe°>\<object name>.sol
    • And also: %APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
    • For AIR Applications: unknown, likely similar to the above
  • Mac OS X:
    • For Web sites: ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/<random code>/<domain>/<path - maybe°>/<object name>.sol and ~/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/<object name>.sol
    • For AIR Applications: ~/Library/Preferences/<AIR Application Name>/Local Store/#SharedObjects/<flash filename>.swf/<object name>.sol
  • Linux/Unix:
    • ~/.macromedia/Flash_Player/#SharedObjects/<random id>/<domain>/<path - maybe°>/<flash filename>.swf/<object name>.sol

° - Flash player can save the file in any path specified by the SWF developer, relative to the current domain.

Programming

The Flash Player allows Web content to read and write LSO data to the computer's local drive on a per-domain basis;[12] such data may preserve session state and record user data and behavior.[13]

By default, a Flash application may store up to 100kb of data to user's hard drive (browser cookies have a limit of just 4kb).[12] The defined storage sizes are 0kb, 10kb, 100kb, 1Mb, 10Mb, and Unlimited.[14] If the current limit is exceeded, the user is shown a dialog requesting storage space of the next size. The user may override the amount manually by clicking the Flash application with right mouse button and selecting Settings; however, this applies only to the domain of the Flash movie. If the selected setting is smaller than the current data size, the data is deleted.

Global LSO settings are not under the direct control of the user, and can only be amended through Adobe's online "Global Settings Manager" control panel.[14][15]

Editors and toolkits

Software Website Developer First public release Latest stable version Cost (USD) Open source License Programming language
SolVE SolVE Darron Schall 2004-09 0.2 (2004-10-15) Free Yes CPL Java
.sol Editor .sol Editor Alexis Isaac 2005-02 1.1.0.1 (2005-02-21) Free Yes MPL ActionScript, Delphi/Kylix
Dojo Toolkit Dojo Toolkit Dojo Foundation 2004 1.3.2 (2009-7-16) Free Yes BSD, AFL JavaScript
MAXA Cookie Manager MAXA Cookie Manager Maxa Research ? 3.2 (2009-02-02) Non-free 35 No proprietary ?
PyAMF PyAMF Nick Joyce 2007-10-07 0.6b (2010-08-11) Free Yes MIT Python
SOLReader SOLReader Alessandro Crugnola ? ? Free No ? C#, PHP [16]
s2x s2x Aral Balkan ? ? Free Yes ? Python [17]
.minerva coursevector.com Gabriel Mariani ? 3.2.3 (2010-06-11) Free Yes ? AIR

Operating system support

Software Windows Mac OS X Linux BSD Unix
SolVE Yes Yes No No No
.sol Editor Yes No No No No
Dojo Toolkit Yes Yes Yes Yes Yes
MAXA Cookie Manager Yes No No No No
PyAMF Yes Yes Yes Yes Yes

References

  1. ^ "What are local shared objects?". Adobe. Retrieved 2007-12-05.
  2. ^ "Flash Player Worries Privacy Advocates". InformationWeek. Retrieved 2007-12-05.
  3. ^ "Flash Player : What Is a Local Shared Object?". Adobe. Retrieved 2009-03-27.
  4. ^ "Adobe Flash cookies pose vexing privacy questions". Networkworld. Retrieved 2009-04-10.
  5. ^ a b c "You Deleted Your Cookies? Think Again". Wired. Retrieved 2009-08-22.
  6. ^ Bruce Schneier
  7. ^ Code That Tracks Users’ Browsing Prompts Lawsuits New York Times, September 20, 2010
  8. ^ Information Commissioner’s Office: library
  9. ^ "Adobe - Flash Player : Settings Manager - Global Storage Settings Panel". Macromedia.com. Retrieved 2009-03-27.
  10. ^ "Adobe - Flash Player : Settings Manager - Website Storage Settings panel". Macromedia.com. Retrieved 2009-03-27.
  11. ^ Joseph Guarino, CSO (2010-03-12). "Seven Firefox add-ons that improve online privacy". Macworld. Retrieved 2010-05-24.
  12. ^ a b "Macromedia Flash MX Security" (PDF). Adobe. 2002-03-01. Retrieved 2007-12-05.
  13. ^ "Local Shared Objects -Flash Cookies". Electronic Privacy Information Center. 2005-07-21. Retrieved 2007-12-05.
  14. ^ a b "Global settings manager". Adobe. Retrieved 2007-12-05.
  15. ^ "TechNote: How to manage and delete local shared objects?". Adobe. Retrieved 2007-12-05.
  16. ^ "PHP example with source code". Alessandro Crugnola. Retrieved 2007-12-18.
  17. ^ "Web demo written in Python". Aral Balkan. Retrieved 2007-12-18.