Local shared objects (LSOs), commonly called Flash cookies (due to their similarities with HTTP cookies), are pieces of data that websites which use Adobe Flash may store on a user's computer. Local shared objects have been used by all versions of Flash Player (developed by Macromedia, which was later acquired by Adobe Systems) since version 6.
Flash cookies, which can be stored or retrieved whenever a user accesses a page containing a Flash application, are a form of local storage. Similar to that of cookies, they can be used to store user preferences, save data from Flash games, or to track users' Internet activity. LSOs have been criticised as a breach of browser security, but there are now browser settings and addons to limit the duration of their storage.
Video Local shared object
Storage
Local shared objects contain data stored by individual websites. Data is stored in the Action Message Format. With the default settings, the Flash Player does not seek the user's permission to store local shared objects on the hard disk. By default, a SWF application running in Flash Player from version 9 to 11 (as of Sept 1, 2011) may store up to 100 kB of data to the user's hard drive. If the application attempts to store more, a dialog asks the user whether to allow or deny the request.
Adobe Flash Player does not allow third-party local shared objects to be shared across domains. For example, a local shared object from "www.example.com" cannot be read by the domain "www.example.net". However, the first party website can always pass data to a third party via some settings found in the dedicated XML file and passing the data in the request to the third party. Also, third party LSOs are allowed to store data by default. By default LSO data is shared across browsers on the same machine. As an example:
- A visitor accesses a site using their Firefox browser, then views a page displaying a specific product, then closes the Firefox browser, the information about that product can be stored in the LSO.
- If that same visitor, using the same machine now opens an Internet Explorer browser and visits any page from the site viewed in Firefox, the site can read the LSO value(s) in the Internet Explorer browser, and display dynamic content or otherwise target the visitor.
This is distinct from cookies which have directory isolated storage paths for saved cookies while LSOs use a common directory path for all browsers on a single machine.
Application to games
Flash games may use LSO files to store the user's personal game data, such as user preferences and actual game progress. Backing up files such as these requires some technical understanding of software. However, both browser updates and programs designed to remove unused files may delete this data.
To prevent cheating, games may be designed to render LSO files unusable if acquired from another location.
Maps Local shared object
Privacy concerns
As with HTTP cookies, local shared objects can be used by web sites to collect information on how people navigate them, although users have taken steps to restrict data collection. Online banks, merchants, or advertisers may use local shared objects for tracking purposes.
On 10 August 2009, Wired magazine reported that more than half of the top websites used local shared objects to track users and store information about them but only four of them mentioned it in their privacy policy. "Flash cookies are relatively unknown to web users," it said, "even if a user thinks they have cleared their computer of tracking objects, they most likely have not." The article further says that some websites use Flash cookies as hidden backups, so that they can restore HTTP cookies deleted by users.
According to the New York Times, by July 2010 there had been at least five class-action lawsuits in the United States against media companies for using local shared objects.
In certain countries, it is illegal to track users without their knowledge and consent. For example, in the United Kingdom, customers must consent to use of cookies/local shared objects:
Local shared objects were the first subject to be discussed in the Federal Trade Commission (FTC) roundtable in January 2010. FTC Chairman Jon Leibowitz has been talking with Adobe about what it describes as "the Flash problem."
User control
Users can disable local shared objects using the Global Storage Settings panel of the online Settings Manager at Adobe's website. However, this places a permanent flash cookie on the computer, informing all other websites that the user does not want flash cookies stored on their computer. Users can opt out of LCOs from specified sites from Flash Player's "Settings", accessed by right-clicking the Player, or using the Website Storage Settings panel; the latter also allows users to delete local shared objects.
Users may also delete local shared objects either manually or using third-party software. For instance, BetterPrivacy, a Firefox add-on, or CCleaner, a standalone computer program for Microsoft Windows and Mac OS X, allow users to delete local shared objects on demand.
Since version 10.3 of Flash, the Online Settings Manager (letting users configure privacy and security permissions via Adobe's website) is superseded by the Local Settings Manager under the Windows Control Panel, Mac OS System Preferences, Linux KDE System settings or Linux GNOME System > Preferences. Users of other operating systems still use the Adobe Online Settings Manager. Since at least April 2012 (v 11.2.202.233), updating by downloading a new Flash version resets the security and privacy settings to the defaults of allowing local storage and asking for media access again, which may be against users' wishes.
Browser control
Browser control refers to the web browser's ability to delete local shared objects and to prevent the creation of persistent local shared objects when privacy mode is enabled. As for the former, Internet Explorer 8, released on March 19, 2009, implements an API that allows browser extensions to co-operate with the browser and delete their persistent data stored when user issues a Delete Browsing History command. However, two years passed since its introduction until Adobe, on March 7, 2011, announced that Flash Player v10.3, which was still in development at the time, supports co-operating with Internet Explorer 8 or later to delete local shared objects.
Also on January 5, 2011, Adobe Systems, Google Inc., and Mozilla Foundation finalized a new browser API (dubbed NPAPI ClearSiteData). This will allow browsers implementing the API to clear local shared objects. Four months later, Adobe announced that Flash Player 10.3 enables Mozilla Firefox 4 and "future releases of Apple Safari and Google Chrome" to delete local shared objects, so since version 4, Firefox treats LSOs the same way as HTTP cookies - deletion rules that previously applied only to HTTP cookies now also apply to LSOs. This caused loss of data and backward-incompatible flash application behavior for those Firefox and Flash users who used HTTP cookies and Flash local shared objects for different goals. Mainly this affected flash gamers, who rely on Flash LSOs to store saved games. The resulting support requests cannot be solved favorably for Mozilla Firefox users without changes to the browser, because of the introduced equivalence between HTTP and flash cookies. Currently, the workaround in use is to either configure the browser to never clear history data and cookies, or to revert the part of the changes affecting this use case, using third-party patches.
As for the behavior in browser's privacy mode, Adobe Flash Player 10.1, released on June 10, 2010, supports the privacy modes of Internet Explorer, Mozilla Firefox, Google Chrome, and Safari. Local shared objects created in privacy are discarded at the end of the session. Those created in a regular session are also not accessible in privacy mode. Municode - Terms of Use
File locations
The default storage location for local shared objects is operating system-dependent, and depends on the flash plugin being NPAPI or PPAPI.
NPAPI
On Microsoft Windows NT 5.x and 6.x, they are stored in:
- %APPDATA%\Macromedia\Flash Player\#SharedObjects\
- %APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\
On Mac OS X, they are stored in:
- ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/
- ~/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/
On Linux or Unix, they are stored in:
- ~/.macromedia/Flash_Player/#SharedObjects/
- ~/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/
For Linux and Unix systems, if the open-source Gnash plugin is being used instead of the official Adobe Flash, they will instead be found at:
- ~/.gnash/SharedObjects/
PPAPI
When using Google Chrome the location for the Pepper Flash (PPAPI) storage is:
- Windows: %localappdata%\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects
- Mac OS X: ~/Library/Application Support/Google/Chrome/Default/Pepper Data/Shockwave Flash/WritableRoot/#SharedObjects/
- Linux: ~/.config/google-chrome/Default/Pepper Data/Shockwave Flash/WritableRoot/#SharedObjects/
Editors and toolkits
See also
- Web storage
- HTTP cookies
- Indexed Database API
- Web SQL Database
- Google Gears
References
External links
- Adobe's online tool on its Web site to erase Flash cookies and manage Flash player settings
- What are local shared objects?, Adobe Flash Player security and privacy help
- "New Technique for Tracking Web Site Visitors". Slashdot. 2005-04-04. Retrieved 2007-12-05.
- "Tracking with Flash Cookies". InformIT. 2007-10-05. Retrieved 2007-12-05.
- How to create SharedObjects in 10 minutes
- How to block Flash cookies
- Electronic Privacy Information Center on "Local Shared Objects"
- Legal action on 'zombie cookies' filed in US court
Source of article : Wikipedia