-1

Suppose I configure my browser to block all cookies and disable local storage. Can a clever website somehow still associate all my activity with a persistent unique identifier, e.g. a session ID?

Pieter
  • 31,619
  • 76
  • 167
  • 242
  • Meta note: I wrote this Q&A-style entry because the Stack Overflow blog [actively enourages it](https://stackoverflow.blog/2011/07/01/its-ok-to-ask-and-answer-your-own-questions/). Please help me improve my question/answer where needed. – Pieter May 04 '21 at 18:22

1 Answers1

0

Yes, cookieless tracking definitely exists.

Browser fingerprinting is a well-known technique for this. Webpages can collect information such as your browser's user agent string, your timezone, your screen resolution, a list of installed fonts or a WebGL image render to create a stable unique identifier that you cannot see or control. You can test if your browser is vulnerable here or here. You may want to try loading them in a regular browsing window and an incognito window to see if the fingerprint remains stable. Especially browsers like Firefox and Safari try to mitigate against various kinds of tracking.

Suppose you were to disable JavaScript and WebGL as well, websites can hide a unique identifier in your browser cache by misusing features of HTTP. I'm aware of three techniques for this. Since they're a bit hard to explain in text, I've made a few animations explaining them (starts around 02:42). The techniques are:

  • ETag tracking - Webpage does Ajax request to a tracking URL, server includes randomized ETag response header. This is your unique ID. Next time the webpage does an Ajax request to the tracking URL, your browser will include the ID in the If-None-Match request header, allowing the tracking URL to reflect it back again in the ETag response header.
  • Last-Modified tracking - Like above, but with a randomized Last-Modified timestamp that the browser will later reflect back in the If-Modified-Since request header.
  • Permanent redirect tracking - The tracking URL generates permanent redirects to itself with a randomized query string parameter like ?id=12349876 included. Your browser will cache the redirect and go to ?id=12349876 directly next time.

Some mitigation against cache-based tracking techniques exists. The Privacy Possum browser extension protects against ETag-based tracking.

Pieter
  • 31,619
  • 76
  • 167
  • 242