gitwtfhub

wtf is evercookie?

samyk/evercookie — explained in plain English

Analysis updated 2026-06-26

4,720JavaScriptAudience · developerComplexity · 3/5Setup · moderate

TL;DR

Evercookie is a JavaScript research library that stores a tracking identifier in over a dozen browser locations simultaneously so that clearing standard cookies alone cannot remove it, a technical demonstration of browser storage depth.

Mindmap

mindmap
  root((evercookie))
    What it does
      Persistent tracking ID
      Multi-storage sync
    Storage locations
      HTTP cookies
      Local storage
      Canvas PNG
    Backend
      PHP ETag scripts
      Cache headers
    Use Cases
      Security research
      Privacy testing

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Study how many separate storage mechanisms exist in a browser by examining Evercookie's source code.

REASON 2

Test your browser's privacy tools by seeing which storage locations survive a cookie-deletion pass.

REASON 3

Use as a reference to understand which browser APIs can be exploited for persistent storage.

REASON 4

Build a privacy-auditing tool that checks which Evercookie storage mechanisms your browser has already patched.

What's in the stack?

JavaScriptPHP

How it stacks up

samyk/evercookieredux-utilities/flux-standard-actionjsonresume/resume-cli
Stars4,7204,7184,714
LanguageJavaScriptJavaScriptJavaScript
Setup difficultymoderateeasyeasy
Complexity3/51/51/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · moderate Time to first run · 30min

Some mechanisms require a PHP server for ETag, cache, and canvas PNG backends, Java cross-browser features need a companion repository.

Wtf does this do

Evercookie is a JavaScript library that creates extremely persistent tracking identifiers in a browser. It stores a unique value across as many browser storage locations as possible at once, so that even if a user deletes their standard cookies, Flash cookies, or HTML5 storage, the identifier can be restored from any copy that survives. The approach works by writing the same value to more than a dozen different places: standard HTTP cookies, HTML5 local and session storage, IndexedDB, Flash Local Shared Objects, Silverlight isolated storage, HTTP ETags, browser cache, canvas PNG data, and more. If any one of those copies survives a cleanup, evercookie reads it and re-writes the value to all the others. The result is that clearing cookies in the usual way does not actually remove the identifier. Some mechanisms require a server-side component. The repository includes PHP scripts for the ETag, cache, and canvas PNG backends. Node.js and Django ports exist as separate projects. The Java-based mechanisms, which can even share identifiers across different browsers on the same machine, are maintained in a companion repository. The library is a research and demonstration project by Samy Kamkar. The README is direct about the risks: some mechanisms load Flash or Silverlight on page load, which can slow older machines significantly, and the CSS history approach can trigger a large number of HTTP requests. The author notes that using evercookie on real websites can damage user trust and reputation. Browser vendors have steadily closed many of the storage loopholes this project relies on, so a number of mechanisms no longer work in modern browsers. Several future ideas are listed in the README as unimplemented. The project is best understood as a technical demonstration of how many separate browser storage locations exist, rather than a tool meant for production use.

Yoink these prompts

Prompt 1
Using samyk/evercookie as a reference, list all the browser storage locations it writes to and explain which ones modern browsers have blocked.
Prompt 2
I want to understand how ETag-based tracking works. Based on the evercookie codebase, explain the technique and show me the PHP backend code that enables it.
Prompt 3
How does evercookie restore a deleted identifier using canvas PNG data? Walk me through the JavaScript mechanism step by step.
Prompt 4
I'm building a privacy audit tool. Using evercookie as a reference, write a JavaScript function that checks which browser storage APIs are available and writable.

Frequently asked questions

wtf is evercookie?

Evercookie is a JavaScript research library that stores a tracking identifier in over a dozen browser locations simultaneously so that clearing standard cookies alone cannot remove it, a technical demonstration of browser storage depth.

What language is evercookie written in?

Mainly JavaScript. The stack also includes JavaScript, PHP.

How hard is evercookie to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is evercookie for?

Mainly developer.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.