Supercookie
What is Supercookie?
SupercookieA persistent tracking identifier stored outside normal cookie storage, designed to survive cookie clearing and private-browsing mode.
A supercookie is a tracking identifier hidden in storage locations that browsers do not clean alongside regular cookies. Examples include HTTP ETag and Last-Modified caches, HSTS pin bits, HTML5 LocalStorage, IndexedDB, Flash Local Shared Objects, and unique identifiers injected by ISPs into HTTP headers (the Verizon UIDH case). Some implementations use multiple storage channels and respawn deleted cookies, a pattern documented in 2009 as the Evercookie. Modern browsers mitigate supercookies through Storage Partitioning, double-keyed caches, HSTS preload lists, removal of Flash support, and HTTPS by default, but mobile and ISP injection variants still persist in some markets.
● Examples
- 01
Evercookie spreading the same ID across LocalStorage, IndexedDB, ETag, and HSTS bits to respawn after clearing.
- 02
ISP header injection adding a per-subscriber UIDH on outbound HTTP requests.
● Frequently asked questions
What is Supercookie?
A persistent tracking identifier stored outside normal cookie storage, designed to survive cookie clearing and private-browsing mode. It belongs to the Privacy & Data Protection category of cybersecurity.
What does Supercookie mean?
A persistent tracking identifier stored outside normal cookie storage, designed to survive cookie clearing and private-browsing mode.
How does Supercookie work?
A supercookie is a tracking identifier hidden in storage locations that browsers do not clean alongside regular cookies. Examples include HTTP ETag and Last-Modified caches, HSTS pin bits, HTML5 LocalStorage, IndexedDB, Flash Local Shared Objects, and unique identifiers injected by ISPs into HTTP headers (the Verizon UIDH case). Some implementations use multiple storage channels and respawn deleted cookies, a pattern documented in 2009 as the Evercookie. Modern browsers mitigate supercookies through Storage Partitioning, double-keyed caches, HSTS preload lists, removal of Flash support, and HTTPS by default, but mobile and ISP injection variants still persist in some markets.
How do you defend against Supercookie?
Defences for Supercookie typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Supercookie?
Common alternative names include: Evercookie, Persistent cookie, Zombie cookie.
● Related terms
- privacy№ 1143
Third-Party Cookie
A cookie set by a domain different from the one in the browser's address bar, historically used to track users across websites.
- privacy№ 127
Browser Fingerprinting
A stateless tracking technique that identifies a user by combining browser, device, and configuration attributes into a near-unique signature.
- privacy№ 142
Canvas Fingerprinting
A browser-fingerprinting technique that exploits subtle GPU and font rendering differences when drawing on an HTML canvas to identify a device.
- privacy№ 241
Cross-Site Tracking
The practice of linking a user's activity across multiple unrelated websites to build a long-lived behavioural profile.
- privacy№ 1166
Tracking Pixel
A tiny, often 1x1 transparent image or beacon embedded in a web page or email to silently record opens, visits, and other user events.