Evercookie Explained Protection: Complete Guide (2026)

What Is an Evercookie? The Tracking Technology That Refuses to Die

In 2010, security researcher Samy Kamkar released a proof-of-concept project that shook the privacy community to its core. He called it the evercookie — a JavaScript API that creates tracking cookies so persistent they’re virtually impossible to delete. Fifteen years later, the techniques Kamkar demonstrated aren’t just proof of concept. They’re actively deployed across the web, evolved, and more sophisticated than ever.

An evercookie (also called a zombie cookie) is a tracking identifier that stores itself in every available storage mechanism in your browser simultaneously. When you delete it from one location, it reads the surviving copy from another location and respawns everywhere. Delete your cookies? The evercookie reads from localStorage. Clear localStorage? It reads from the ETag cache. Clear everything you can find? It reads from the HSTS state, the favicon cache, or a dozen other hiding places you didn’t know existed.

This guide provides a complete evercookie explained protection resource for 2026 — covering every storage mechanism, the respawn algorithm, modern detection tools, and the only protection strategy that truly works.

Samy Kamkar’s Original Evercookie: How It All Started

The Motivation

Kamkar, already famous for the Samy worm that hit MySpace in 2005, created the evercookie to demonstrate a fundamental flaw in how browsers handle data persistence. His thesis was simple: browsers store user data in so many different places that it’s practically impossible for ordinary users to find and delete all of it. And if even one copy survives, everything can be recreated.

The original evercookie proof-of-concept supported 17 different storage mechanisms, each independently capable of storing a unique tracking identifier. Kamkar published the code on GitHub and documented every technique, hoping that awareness would drive browser vendors to fix the underlying issues. Some were fixed. Most weren’t. And in 2026, the evercookie concept has been extended with even more storage vectors.

The Respawn Algorithm

The genius of the evercookie isn’t in any single storage mechanism — it’s in the respawn logic. Here’s how it works:

1. Initial storage — When the evercookie is first set, the JavaScript writes the same unique identifier to every available storage mechanism simultaneously.
2. Read on return — When the user returns, the JavaScript reads from all storage locations in parallel.
3. Compare and repair — If any storage location is missing the identifier (indicating the user deleted it), the surviving copies are used to rewrite the deleted ones.
4. Complete regeneration — Within milliseconds, every deleted copy is restored. The user’s attempt to clear tracking data is completely undone.

This means the user must delete the tracking data from every single storage mechanism simultaneously to truly remove an evercookie. Miss even one, and the zombie cookie comes back to life.

All 17+ Evercookie Storage Mechanisms Explained

1. Standard HTTP Cookies

The most basic storage: regular cookies set through the Set-Cookie HTTP header or document.cookie JavaScript API. These are the first thing users clear, which is why the evercookie uses them as the “front door” while hiding copies in more durable locations. Standard cookies are limited to 4 KB per cookie and subject to same-origin policies, expiration dates, and browser cookie settings.

2. localStorage

localStorage provides 5-10 MB of persistent, same-origin storage per domain. Data stored here has no expiration date and persists until explicitly deleted through JavaScript code or browser settings. Critically, many users who “clear cookies” don’t realize they need to separately clear “site data” to remove localStorage contents. The evercookie stores a backup of its identifier here.

3. sessionStorage

Similar to localStorage but scoped to the browser tab. Data persists as long as the tab is open and survives page reloads and navigation. While sessionStorage is automatically cleared when the tab closes, it serves as a short-term backup that can respawn cookies during an active browsing session. If a user deletes cookies while the tab is still open, the evercookie reads from sessionStorage and restores everything.

4. IndexedDB

IndexedDB is a full-featured client-side database that can store structured data, binary files, and virtually unlimited amounts of information (browser-dependent, but often several hundred MB to several GB). The evercookie stores its identifier in an IndexedDB database that most users don’t know exists and can’t easily inspect without developer tools. Like localStorage, IndexedDB data survives cookie clearing in most browsers.

5. Flash Local Shared Objects (LSOs)

Adobe Flash Player stored data in Local Shared Objects — commonly called “Flash cookies.” These were stored in a completely separate location from browser cookies, had a default capacity of 100 KB (expandable to unlimited with user permission), and could be accessed by any Flash content on any website in the same domain. Flash cookies were the original “supercookie” — they survived browser cookie deletion and were invisible to browser privacy settings. While Flash was officially discontinued in December 2020, the technique was pivotal in evercookie’s history and influenced subsequent approaches.

6. Silverlight Isolated Storage

Microsoft’s Silverlight plugin (discontinued in 2021) provided its own isolated storage mechanism, similar to Flash LSOs. Silverlight storage was separate from browser storage, survived cookie clearing, and was accessible across browsers on the same machine. While Silverlight is no longer supported, the evercookie’s use of Silverlight demonstrated the principle of exploiting plugin storage — a pattern now replicated through Web APIs.

7. Java Applet Storage

Java applets (phased out of browsers by 2017) could store data through the Java Preferences API and the local file system. Java storage was entirely separate from the browser, survived browser reinstallation, and could be accessed across different browsers. Like Flash and Silverlight, Java applet storage is now legacy, but it established the pattern of using non-browser storage as a tracking persistence mechanism.

8. ETag Cache

The evercookie stores its identifier as an ETag — an HTTP cache header designed to check whether a resource has changed. When you request a resource, the server sends a unique ETag. On subsequent requests, your browser sends this ETag back in an If-None-Match header. By setting a unique ETag per user, the tracker can identify you through the HTTP cache even after cookies are cleared. This technique remains effective in 2026 when HTTP cache partitioning is not implemented or not properly configured. For more on how this fits into the broader tracking landscape, see our guide on browser tracking methods in 2026.

9. HSTS (HTTP Strict Transport Security) State

HSTS supercookies encode a tracking identifier in the HSTS policies set across multiple subdomains. Each subdomain represents one bit of the identifier: if HSTS is set, the bit is “1”; if not, it’s “0”. By reading the browser’s automatic HTTP-to-HTTPS upgrade behavior across these subdomains, the tracker can reconstruct the full identifier. HSTS state is stored separately from cookies and cache, and clearing cookies does not affect it. This is one of the most resilient modern evercookie storage vectors.

10. Web SQL Database

Web SQL was an early browser database API that provided SQL-based client-side storage. Although deprecated and removed from the web standards track, it remains functional in Chromium-based browsers. The evercookie stores its identifier in a Web SQL database, adding yet another recovery source. Users rarely know Web SQL exists, and few privacy tools specifically target it.

11. CSS History Sniffing

This technique exploited the fact that browsers styled visited and unvisited links differently. By creating thousands of links to URLs that encode different bit patterns and checking their computed style, a tracker could determine which URLs the user had previously visited. The evercookie used this to reconstruct the identifier by encoding it in a set of visited URLs. Modern browsers have largely mitigated this by restricting the CSS properties that can differ between visited and unvisited links, but variations of the attack continue to surface.

12. window.name

The window.name property is a string that persists across page navigations within the same tab. Unlike cookies and localStorage, window.name is not subject to same-origin restrictions — any page loaded in the same tab can read and write it. The evercookie stores its identifier in window.name, which survives navigation to a completely different domain. While this value doesn’t persist across tab or browser restarts, it provides a cross-origin recovery mechanism within a session.

13. Internet Explorer userData

Internet Explorer’s proprietary userData behavior allowed persistent data storage of up to 1 MB per domain. This data was stored in XML files on the local filesystem and survived cookie clearing. While IE is discontinued, this technique was part of the original evercookie arsenal and influenced subsequent browser storage exploits.

14. Canvas Fingerprint + PNG Cookie

The evercookie can encode its identifier into the pixels of a canvas element and store the resulting image. Using the Canvas API, the tracking script draws the identifier as pixel color values, exports the canvas as a PNG data URL, and stores it in any available cache. On subsequent visits, the script renders the cached PNG back to a canvas and reads the pixel values to reconstruct the identifier. This technique combines the canvas rendering API with image caching for a unique persistence vector. Understanding the broader implications of canvas-based tracking is essential — our guide on browser fingerprints explores how canvas rendering is also used for device identification.

15. HTTP Authentication Cache

When a browser sends HTTP Basic Authentication credentials, it caches them to avoid re-prompting. The evercookie exploits this by silently authenticating the user with a unique username/password pair through an invisible request. The browser caches these credentials and automatically sends them with future requests, creating a persistent identifier that survives cookie, cache, and localStorage clearing.

16. Service Worker Cache

Added after Kamkar’s original evercookie, service worker caches provide a powerful modern storage vector. A service worker can intercept all requests from its origin, maintain its own Cache API storage, and persist independently of the page lifecycle. The evercookie registers a service worker that stores the identifier in its cache and respawns deleted cookies by injecting them into intercepted responses. Service workers can even survive “Clear all site data” operations in some browsers.

17. Favicon Cache

Another post-Kamkar addition: the favicon cache supercookie. By redirecting through multiple subdomains and selectively serving unique favicons, a tracker can encode an identifier in the pattern of cached versus uncached favicons. The favicon cache was historically not cleared by any standard browser cleanup operation and was not partitioned by domain — making it an exceptionally durable storage mechanism.

18. SharedWorker and BroadcastChannel

Modern evercookie implementations extend to SharedWorkers (which persist across tabs from the same origin) and BroadcastChannel (which allows communication between tabs). While these don’t persist across browser sessions, they ensure that an evercookie deleted in one tab can be instantly respawned by a SharedWorker that maintains the identifier across all open tabs for that origin.

How Evercookies Respawn: The Complete Process

Understanding the respawn mechanism is critical for effective protection. Here’s a detailed walkthrough of how a modern evercookie restores itself:

1. Page load triggers the evercookie script — A JavaScript file loads and begins reading from all available storage mechanisms in parallel.
2. Storage audit — The script checks which storage locations contain the tracking identifier and which are empty (deleted by the user).
3. Consensus check — If any storage locations contain the identifier, the script uses a consensus algorithm. The identifier found in the most storage locations is considered authoritative.
4. Respawn phase — The authoritative identifier is written back to every storage location that was found empty. Cookies are recreated, localStorage is repopulated, IndexedDB is restored, ETags are re-cached, and so on.
5. Verification — The script reads all locations again to confirm the respawn was successful.
6. Stealth — The entire process completes in under 100 milliseconds, invisible to the user.

The only way to prevent respawning is to ensure that zero copies survive in any storage mechanism. If even one copy remains, it acts as the seed for complete regeneration.

Evercookie Detection: Tools and Techniques

Manual Detection

You can manually check for evercookies using browser developer tools:

• Application tab — Inspect Cookies, localStorage, sessionStorage, IndexedDB, Web SQL, Service Workers, and Cache Storage for suspicious tracking identifiers.
• Network tab — Look for ETag headers that contain user-specific values rather than genuine content hashes.
• Security tab — Check TLS session details for unusually persistent sessions.
• Console — Run document.cookie, localStorage, and window.name checks to see what data is stored.

Automated Detection Tools

Tool	Type	Detects	Limitations
Panopticlick / Cover Your Tracks (EFF)	Web-based	Cookies, canvas, WebGL fingerprinting	Doesn’t check HSTS, favicon, TLS supercookies
OpenWPM (Princeton)	Research framework	All cookie types, JS API calls, HTTP caching	Requires technical setup, not user-friendly
Cookie Quick Manager (Firefox)	Extension	Cookies, localStorage, IndexedDB	Doesn’t cover HSTS, ETag, service workers
Privacy Badger (EFF)	Extension	Third-party tracking, cookie respawning	Focuses on domains, not storage mechanisms
Nickcookie (Research)	Web-based	Evercookie mechanisms specifically	May not cover newest vectors

Website-Level Detection

You can test whether a specific website uses evercookies with this process:

1. Visit the site and note the cookie values set (developer tools → Application → Cookies)
2. Clear all cookies for that domain
3. Without closing the tab, refresh the page
4. Check if the same cookie values have reappeared
5. If they have, the site is using some form of cookie respawning
6. Clear all browsing data (cookies, cache, site data), close the browser entirely, and revisit
7. If the same tracking ID appears again, deeper supercookie mechanisms are in play

Comprehensive Evercookie Protection Strategies

Strategy 1: Aggressive Browser Hygiene

For users who want to stay on their local browser, maximum protection requires clearing everything regularly:

• Cookies and site data (covers cookies, localStorage, sessionStorage, IndexedDB, Web SQL)
• Cached images and files (covers ETags)
• HSTS state (manually via chrome://net-internals/#hsts or equivalent)
• Service worker registrations (via developer tools or “unregister service workers” extensions)
• Saved passwords and autofill data (covers HTTP auth cache)
• Restart the browser after clearing (flushes TLS session cache and favicon cache)

The downside? You lose all saved preferences, login sessions, and cached content every time. This is impractical for daily use and still may not cover undiscovered storage mechanisms.

Strategy 2: Browser Containers and Profiles

Firefox’s Multi-Account Containers and Chrome’s Profile system can isolate tracking data between different contexts. Each container or profile has its own cookie jar, localStorage, and cache. Evercookies set in one container can’t be read from another. However, HSTS state and some other browser-level storage may still leak between containers, and managing multiple containers adds significant complexity. For more on how websites identify you beyond cookies, see our detailed explanation of tracking without cookies.

Strategy 3: Dedicated Privacy Browsers

Tor Browser provides strong evercookie protection by:

• Clearing all state on every browser close
• Blocking or restricting most JavaScript APIs used by evercookies
• Using a standardized browser fingerprint to prevent fingerprint-based tracking
• Routing traffic through multiple relays to prevent network-based identification

However, Tor Browser’s strict protections break many websites and make normal browsing difficult. The performance overhead of onion routing makes it impractical for general use. Choosing the best privacy browser depends on your specific threat model and usability requirements.

Strategy 4: Ephemeral Cloud Sessions (Most Effective)

The only strategy that provides guaranteed, complete evercookie protection without sacrificing usability is running your browser in an ephemeral cloud environment. Cloud browsers like Send.win launch each session in a fresh virtual machine or container with:

• Zero pre-existing state — No cookies, localStorage, IndexedDB, service workers, HSTS, or cached data from any previous session
• Complete destruction on session end — Every byte of browser state is wiped when you close the session
• No respawn possible — Since the entire browser environment is destroyed, there’s no surviving copy for evercookies to respawn from
• No storage mechanism gaps — Even undiscovered storage vectors are covered because the entire VM/container is discarded

This is the only approach that protects against future evercookie techniques as well. When a new storage mechanism is discovered and exploited for tracking, cloud sessions are already immune because they don’t persist any state whatsoever.

Evercookies in the Real World: Who Uses Them?

Documented Cases

Evercookie techniques have been found in deployment across major websites and services:

• Hulu (2011) — Used Flash LSOs to respawn deleted HTTP cookies, settled a class-action lawsuit for $1.5 million.
• KISSmetrics (2011) — Used ETags and Flash LSOs to track users across websites including Hulu and Spotify. Settled a lawsuit and changed practices.
• Verizon (2014-2016) — Injected unique identifier headers (UIDH “supercookies”) into all HTTP traffic at the network level. FCC fined Verizon $1.35 million.
• Turn (2015) — Used Verizon’s UIDH to respawn deleted cookies, effectively creating a carrier-level evercookie.
• Major ad networks (ongoing) — Multiple studies have documented cookie respawning through localStorage, ETags, and IndexedDB across top advertising platforms.

Legal and Regulatory Response

Evercookies exist in a legal grey area. The EU’s ePrivacy Directive requires consent for storing information on user devices, which technically covers all evercookie mechanisms. GDPR’s right to erasure should allow users to demand deletion of evercookie data. In practice, enforcement is nearly impossible because:

• Users can’t identify which storage mechanisms contain tracking data
• Regulators lack the technical expertise to detect evercookies
• The responsible parties are often buried in chains of third-party ad tech vendors
• Evercookie code can be obfuscated to avoid detection by automated auditing tools

The Future of Evercookies: What’s Coming in 2026 and Beyond

As browsers close existing storage loopholes, evercookie developers are exploring new persistence vectors:

• WebGPU state — The WebGPU API introduces new caching and state management that may be exploitable for tracking persistence.
• WebAssembly memory — WASM modules can maintain state in linear memory that isn’t covered by standard browser cleanup.
• Web Bluetooth/USB state — Connected device permissions and cached device identifiers could serve as tracking anchors.
• Speculation rules and prefetch cache — New prefetching mechanisms create additional cache surfaces that may not be cleared by standard cleanup.
• Federated learning state — Browser-based machine learning models could potentially encode tracking identifiers in their weights.

The cat-and-mouse game between evercookie developers and browser privacy teams shows no signs of ending. Every new browser feature is a potential new storage mechanism, and the economic incentives for tracking are enormous. The only future-proof approach is one that doesn’t try to play this game at all — destroying the entire browser state after every session.

Frequently Asked Questions About Evercookies

What exactly is an evercookie?

An evercookie (also called a zombie cookie) is a tracking identifier that stores itself simultaneously across many different browser storage mechanisms — standard cookies, localStorage, IndexedDB, ETags, HSTS state, service worker caches, and more. When a user deletes the identifier from any storage location, the evercookie reads the surviving copy from another location and respawns all deleted copies. This makes it extremely difficult to permanently remove because the user must find and delete every single copy at the same time.

Who created the evercookie and why?

Security researcher Samy Kamkar created the evercookie in 2010 as a proof-of-concept to demonstrate how many hidden data storage locations exist in web browsers. His goal was to raise awareness about browser privacy vulnerabilities and encourage browser vendors to fix the underlying issues. The original code was published on GitHub and documented 17 storage mechanisms. While some have been mitigated by browser updates, many remain functional and new ones have been added.

Is the evercookie still relevant in 2026 with third-party cookies being phased out?

Absolutely. The evercookie was always about more than just standard cookies — it exploits localStorage, IndexedDB, ETags, HSTS, service workers, and other mechanisms that are completely unaffected by third-party cookie deprecation. In fact, the decline of third-party cookies makes evercookie techniques more valuable to trackers because they need persistent identifiers to replace the cookie-based tracking infrastructure they’re losing. Modern evercookies have added new storage vectors like service workers and favicon caches.

Can antivirus software detect and remove evercookies?

Traditional antivirus software is not designed to detect or remove evercookies. Antivirus tools focus on malware — executable code that harms your system. Evercookies are legitimate data stored through standard browser APIs. They don’t contain malicious code; they just store tracking identifiers in unusual places. Some internet security suites include browser privacy components that can detect cookie respawning, but they typically don’t cover all 17+ storage mechanisms used by sophisticated evercookies.

Does the Tor Browser protect against evercookies?

Yes, Tor Browser provides strong evercookie protection because it clears all browser state on every close, restricts many JavaScript APIs used by evercookies, and presents a standardized browser fingerprint. However, Tor Browser’s strict protections break many websites, its performance is slow due to onion routing, and it’s not practical for general daily browsing. It’s effective against evercookies but comes with significant usability trade-offs.

How can I tell if a website is using evercookies on me?

The simplest test: visit a website, note the tracking cookie values in developer tools, then clear all cookies for that domain and refresh the page. If the same cookie values reappear without you re-logging in, the site is using some form of cookie respawning. For a more thorough test, clear all browsing data (cookies, cache, site data), restart your browser, and revisit. If the same tracking ID appears, deeper evercookie mechanisms are likely in use. Tools like Privacy Badger can also detect and flag cookie respawning behavior.

What’s the difference between an evercookie and a supercookie?

A supercookie is a single tracking mechanism that stores data in a non-standard browser location (like HSTS state, ETag cache, or favicon cache). An evercookie is a system that uses multiple supercookies together — storing the same tracking identifier across many locations simultaneously and respawning deleted copies from survivors. Think of supercookies as individual hiding places and the evercookie as the coordinated strategy of hiding in all of them at once.

Can Send.win protect me from evercookies even if new storage mechanisms are discovered?

Yes, and this is Send.win’s key advantage over all other protection strategies. Send.win doesn’t try to identify and clear specific storage mechanisms — it destroys the entire cloud browsing environment when your session ends. This includes the browser process, filesystem, memory, caches, databases, and every other form of storage. When a new storage mechanism is discovered and exploited for evercookie persistence, Send.win is already immune because nothing from any previous session survives. It’s future-proof by design.

How Send.win Helps You Master Evercookie Explained Protection

Send.win makes Evercookie Explained Protection simple and secure with powerful browser isolation technology:

• Browser Isolation – Every tab runs in a sandboxed environment
• Cloud Sync – Access your sessions from any device
• Multi-Account Management – Manage unlimited accounts safely
• No Installation Required – Works instantly in your browser
• Affordable Pricing – Enterprise features without enterprise costs

Try Send.win Free – No Credit Card Required

Experience the power of browser isolation with our free demo:

• Instant Access – Start testing in seconds
• Full Features – Try all capabilities
• Secure – Bank-level encryption
• Cross-Platform – Works on desktop, mobile, tablet
• 14-Day Money-Back Guarantee

Try Send.win Free Demo Now

Ready to upgrade? View pricing plans starting at just $9/month.

Related Products & Resources

• Browsing Protection Complete Guide 2026
• Webrtc Leak Protection Complete Guide 2026
• What Is A Browser Fingerprint Explained Complete Guide Tips 2026
• Webrtc Leak Protection Complete Guide To Hiding Your Real Ip 2026
• What Is A Browser Fingerprint Complete Explanation Protection Guide 2026