Comments on: Abusing the Cache: Tracking Users without Cookies

By: Paranoid Firefox | Wilfred Hughes

Paranoid Firefox | Wilfred Hughes — Sun, 10 Oct 2010 23:05:15 +0000

[...] aware that at least two researchers are researching into tracking users using only the cache (using iframes or ETags). The truly paranoid Firefox user will therefore want Firefox to regularly clear its [...]

By: SymKat

SymKat — Sun, 22 Aug 2010 02:04:14 +0000

That’s an excellent idea.

Though, taking the AJAX idea from Richard a bit further, what about using the ETag header and embedding the uniq ID in there. You could have one file request without query strings.

Change the Cache-Control to max-age=0, must-revalidate and Expires: -1, then add ETag:. Subsequent requests will use the If-None-Match: request header.

I wrote a blog entry about HTTP headers last week that explains these headers and how they function more in depth here: http://symkat.com/45/understanding-http-caching/

Of course, the best resource if you’re the type who likes huge documents would be RFC 2616. Specific attention to section 14.

By: Dmitry Vl.Bondar

Dmitry Vl.Bondar — Wed, 28 Apr 2010 09:20:45 +0000

The technique doesn’t work if web address contains port number like http://www.mysite.com:8082

By: Josh

Josh — Mon, 05 Apr 2010 20:46:12 +0000

Thanks Nathan. Good spot.

By: Nathan Friedly

Nathan Friedly — Mon, 05 Apr 2010 20:40:54 +0000

heh, I topoed my corection, lol. it should say:

header(“Last-Modified: $modified GMT”);

By: Nathan Friedly

Nathan Friedly — Mon, 05 Apr 2010 20:40:09 +0000

I think you have a mistake in your code.

Line 56 reads:
header(“Last-Modified: $expires GMT”);

You probably meant:
header(“Last-Modified: $emodified GMT”);

As it is now, you’re claiming the last-modified date is 10 years in the future.

By: JasonMorrison.net

JasonMorrison.net — Wed, 10 Feb 2010 08:17:16 +0000

Three Ways Sites Can Track Visitors Without Cookies, Part 2…

In part 1, I wrote about the EFF’s Panopticlick project and the implications for anonymity. I’ve got two more methods up my sleeve. 2. Use the cache. Cookies aren’t the only thing your browser downloads and keeps around, and for good reaso….

By: admin

admin — Fri, 29 Jan 2010 21:35:00 +0000

@Mogden, that’s a good point. I haven’t done much testing as to how long the data is retained as this was more a proof of concept. Like I said in the post I believe it would be more suited towards being used with cookies to make sessions more sticky.

By: admin

admin — Fri, 29 Jan 2010 21:28:39 +0000

Ray, the initial request is marked with Cache-control: private so intermediate proxies should know not to cache the page. Only the client will keep the cache.

By: uberVU - social comments

uberVU - social comments — Fri, 29 Jan 2010 15:27:36 +0000

Social comments and analytics for this post…

This post was mentioned on Reddit by k4st: That is surprisingly cool. I think that if the author can make this method work without Javascript and show that it is a cross-browser solution then it could be used (almost) anywhere where a cookie could be u…