Getting rid of Flash cookies

Pretty much every Flash movie on the web today uses Flash Player’s global storage feature to store data on your disk, similar to regular browser cookies. What makes this feature so problematic is the lack of proper control mechanisms. For example, for browser cookies I selected “Keep until I close Firefox” which makes sure that cookies can be set (no site functionality is broken) but won’t survive too long. But this setting won’t apply to Flash data. Same goes for the Private Browsing mode in Firefox 3.1, it has absolutely no effect on Flash. Note also that Flash data is the same for all browsers and all profiles.

Now theoretically you can change Flash settings to address this problem. Of course this feature is so well-hidden that I doubt anybody ever uses it. Still, when I tried all I got was constant nagging: “Do you want to allow this site to write data to your disk?” Honestly, is it so hard to add a “never allow” option? Not to mention that even with the most restrictive settings Flash continues to remember which sites I visited (again, clearing browser history or Private Browsing mode have no effect). But these settings break many sites nevertheless.

Altogether, it doesn’t look like Flash developers put much thought into ensuring user’s privacy. My solution might be somewhat drastic but I don’t see any alternative until Flash improves (ideally that would mean exposing its storage to the browser so that usual cookie settings can be applied to it, they should at least give users usable options however). I wrote a tiny WSH script to remove the Macromedia directory:

var FSO = WScript.CreateObject("Scripting.FileSystemObject");
var Shell = WScript.CreateObject("Wscript.Shell");
try {
  FSO.DeleteFolder(Shell.ExpandEnvironmentStrings("%APPDATA%\\Macromedia"), true);
} catch(e) {} // don't care if folder wasn't found

Then I scheduled a task to run it every five minutes:

Now all sites work again, I’m not nagged with stupid questions and nevertheless Flash data isn’t stored. Perfect, isn’t it?

Comments

  • zef

    Or you could just right-click on a flash video and click the ‘Settings…’ option from the menu that should appear. Then click on the third tab (Local Storage) and just reduce the size to zero and click ‘never ask again’. To the best of my knowledge that should work too.

    Wladimir Palant

    a) This is a per-site setting, you would have to repeat it for each site you visit (and then repeat again if they decide to relocate the Flash movie).
    b) Each site you do it for is visible under http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
    c) It breaks sites.

  • Fowl

    @zef That breaks websites though.

    another thing with these “Flash cookies” is that they don’t respect the private browsing mode settings of various browsers, are OS profile wide (contaminating all browsers) and aren’t cleared in “Clear Private Data”.

    They also make Firefox Portable less… portable.

  • zef

    fair enough

  • Arthur

    I’d rather wrap the Firefox startup script with it in order to simulate “Session Cookies”. I’d be a bit wary of a cron job deleting the cookies from under the feet of the running flash applets. It might work most of the time, but fail with unforseen and hard to debug problems.

    Wladimir Palant

    I think I can live with these problems (though I don’t really expect any). Problem is, simulating session cookies isn’t possible – because session cookies are never written out to disk in the first place. Closest thing would be removing Flash cookies when Firefox is shut down. Unfortunately, you cannot really tie script execution to that event. I guess one could change the cron job to check first whether browser is running and only remove the directory if it is not – but I rarely have the browser closed long enough.

  • Philip Chee

    http://objection.mozdev.org/history.html

    [quote] # Improved privacy features

    * Added option to delete LSOs on browser open/close, optional to also delete site settings

    * Removes site and setting directories that do not contain files (On exit)

    * Updates Flash Player settings file to remove deleted sites (On exit)
    [/quote]

    Phil

  • Tim

    Seems a bit drastic if you have other Macromedia/Adobe applications installed.

    Wladimir Palant

    Well, you can remove “APPDATA\Macromedia\Flash Player” of course. I don’t care about anything Macromedia applications want to store which is why I did it that way.

  • Lucy

    What about on OSX. Would this be the directory?
    /Users/User/Library/Preferences/Macromedia

    and would running the command
    sudo chflags uchg,schg /Users/User/Library/Preferences/Macromedia

    be sufficent?

    Wladimir Palant

    ~/Library/Preferences/Macromedia is the directory on OS X. Just running “rm -rf ~/Library/Preferences/Macromedia” should be sufficient – without sudo because you are removing your own directory.

  • Asshole

    I hate dealing with Flash cookies. I use Pandora.com and am constantly dealing with the build-up of other Flash crap, while trying to avoid deleting Pandora.com cookies. It’s not a huge deal to wipe out Pandora.com’s cookies, but it’s a pain in the ass to have to log in and reconfigure the player every time.

    Yet surprisingly enough, I have NEVER seen an application or extension that automates this.

    I tried a batch file kludge in which I copy off the wanted Flash cookies, wipe out the remaining directories, then copy it back, but haven’t gotten it to work yet.

    It’s this kind of crap that makes me want to punch shitty engineers in the throat.

  • chewey

    Heh :-)

    I do this already since… (/me checks creation date for script)… June 14th 2005. I’ve never encountered any problems.

    Of course, this means that e.g. the progress in flash games will not be remembered, but I can live with that.

  • Marc

    What about using the Firefox extension BetterPrivacy? I thought that extension provides all the needed functionality to remove Flash cookies periodically.

  • Anonymous

    Or you could just not use Flash. Problem solved. :)

    I don’t run any proprietary software, which includes Flash. And in any case I don’t care about any sites that use Flash, so I haven’t bothered installing swfdec or Gnash either.

    I only ever care about video hosting sites, and for those I use youtube-dl, ClipNabber, or KeepVid, which let me download the video to watch locally. And hopefully the new video tag will help solve that problem, though I suspect the major video hosting sites will avoid it out of the brain-damaged idea that they don’t want people to easily download their videos.

  • Feander

    Thanks for the inspiration. I made a script and put it into my start folder, so it is executed every boot (for me this means at least once daily).

    I don’t see, that Adobe will improve this. With flash audio this is the same problem. There is no easy way to lower/mute it globally. But Adobes (paying) customers aren’t the normal users; the advertising companies fill pockets. So they will never change this.

  • Rich

    This seems like a perfect application for Sandboxie (http://www.sandboxie.com).

  • Lucy

    @7 Reply

    No I understand. I had ‘sudo’ in my example as chflags can only be set by root.

    Wladimir Palant

    I looked up the chflags command and I see now. I would expect it to have the same effect as removing permissions to modify the directory on Windows – Flash can no longer write out its cookies which will break some sites.

  • Neil Rashbrook

    You don’t need a separate script.

    cmd /c rd /s /q %APPDATA%\Macromedia

    Although I guess the cmd window flash could be annoying.

    Wladimir Palant
  • Neil Rashbrook

    Sorry, there should of course be percent signs around APPDATA, but I can’t work out how to produce them.

    While I’m here I’d like to be able to remember the form fields for your site locally, not via some cookie. But the Name field seems to get a random name each time, fooling autocomplete :-(

    Wladimir Palant

    Yes, Textile is somewhat weird at times. I fixed your comment, not sure how you would use a percent sign other than by using the HTML entity.

    As to form fields – sorry about breaking autocomplete but I don’t see how I can fix that without letting spam bots post on this blog again.

  • Haploid

    Alternatively, you can alter the permissions on the Macromedia folder, adding Deny to Everyone. That way Flash Player can’t even write into the folder, so there are no files to be cleaned up.

    I’ll admit I’ve only tested this on one or two websites to see if it works, and I have no trouble there.

    Wladimir Palant

    See above, this will break some websites (e.g. justin.tv).

  • Haploid

    I fiddled with it some more using justin.tv as a test subject. Ended up denying only List Folder/Read Data to Everyone. Oddly enough, that is good enough for Flash Player. Apparently, it only cares about being able to write something, but it doesn’t actually need to read it for justin.tv to work.

    On Macromedia folder, go to Security tab -> Advanced -> Add, select Everyone, click Deny for List Folder/Read Data.

    Flash Player will then be able to write Flash cookies, but not read them.

    Wladimir Palant

    Yes, this will do the job – if you can accept the fact that your disk is littered with tons of useless data (Flash will create a new directory for the cookies every time because it doesn’t know where it stored them before) and that your history is still being stored (have a look at “Macromedia\Flash Player\macromedia.com\support\flashplayer\sys”).

  • fox

    “Now theoretically you can change Flash settings to address this problem. Of course this feature is so well-hidden that I doubt anybody ever uses it. Still, when I tried all I got was constant nagging: “Do you want to allow this site to write data to your disk?””

    No nagging if you select “Never Ask Again”.
    I have selected that.
    And then on some sites that don’t load flash because Local Storage is off, like: spike.com and metacafe.com, i right-click on a flash video, click the “Settings…” and give them 10KB.

    Works fine here. And i dont care if then few sites have Flash cookies. I think i have allowed 4 or 5 sites.

  • A.

    Hi, I’d like to try this script that you’ve created ~ Where &

    What file, would I put this ? Thnx, <3 Ad Block BTW ~ Genius!

  • Jessica Sideways

    This kinda makes me glad that I don’t develop in Flash.

  • Ainkami

    You might want to backup your settings.sol file to keep your Flash preferences before wiping Flash cache.
    Put this into a .bat file:
    @echo off
    xcopy /y “APPDATA\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol” “TEMP\”
    rd /s /q “APPDATA\Macromedia\Flash Player\”
    xcopy /y “TEMP\settings.sol” “APPDATA\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\”

  • Jim

    Like an earlier commenter, I’m curious why you don’t think either Better Privacy or Objection FF extensions accomplish the same thing (although not on a 5 minute cycle). But every browser open/close would seem to be sufficient for most requirements.

    Wladimir Palant

    I need a very basic thing – get rid of Flash cookies (something that should have been possible with Flash itself but isn’t for reasons that are beyond me). Both Better Privacy and Objection (but especially Better Privacy) do a lot more, things that I don’t need and that I even find questionable. I always choose the extensions I install very carefully because the browser is an essential tool for me and needs to be stable/fast. These two extensions just aren’t useful/safe enough to make my list.

    Besides, I close my browser very rarely, once a week at most.

  • Tom T.

    Wladimir wrote: “Both Better Privacy and Objection (but especially Better Privacy) do a lot more, things that I don’t need and that I even find questionable.”

    AFAIK, the only other functions in Better Privacy are disabling of DOM storage and disabling ping tracking. Fx itself can be set to dom.sotrage.enabled = false. NoScript provides block of <a ping>, and even the option to allow it on your trusted sites while disallowing on all others, if you wish. So you can uncheck these two options in Fx > Tools > Better Privacy > Options, and then you will be left with only LSO removal, as you wished for. If you don’t close the browser often enough, you can set a timer if you like, including warnings before LSO deletion. (Personally, I close my browser frequently to ensure trash cleanup. To each, their own.)

    Before I found Objection and then BP, I just made a desktop shortcut to the #SharedObjects folder. Anytime I wanted to delete, 2-click and empty. You can choose whether to point this shortcut only to LSO and preserve your settings.sol, or point it to Flash Player and delete all. So perhaps this should be your preferred choice?

  • friend

    Using the freeware utility CCleaner ( www . ccleaner . com )
    you can target the SharedObjects folder contents for deletion (star dot star filemask) (and any other paths you wish). It can be set to run at each Startup, and/or you can run it on-demand at any time (adds a right-click command to the RecycleBin context menu).
    The app ALSO enables you to target various browser caches/cookies (and the infernal MSIE index.dat file). For any files currently locked / in use, it marks them “pending deletion” so they are deleted upon next startup.

    =====================

    related note:
    another freeware app, MozillaCacheViewer, from ( www . nirsoft . com ) is the best app I’ve found for viewing and drag/drop extracting Mozilla cached files. (Tip: in order to delete files from the Mozilla disk cache, you must close the browser before launching the viewer utility.)

  • istanbul

    recommend my solution

    deny write permission , yourcurrently acc. with system block folder&subfolders&files to appdata/adobe/flash player ,macromedia/flash player
    so ur acc. can not create any thing, your browser too
    dnt forget first delete that files:D

    when need something to write this folder (i not know why?) take replace owner…

    Wladimir Palant

    As I said above, if Flash cannot set its cookies at all this will break many sites.

  • anonymous

    I’ve noticed that flash LSO settings can be reset to the default withought your knowledge. I haven’t determined exactly what sites can do this, but I have noticed that periodically the settings are changed to allow LSOs. Relying on Flash LSO settings is useless.

    The only solution is something external that can wipe the files or changing permissions on the flash directories. Both options break some sites, but not as many as you think.

    Wladimir Palant

    Wiping files regularly as I suggested here doesn’t break any sites whatsoever (at least I didn’t see any that would be broken). Changing file permissions breaks lots of sites (I went with this option before and had to deal with broken sites all the time).

  • Zo

    For ages now—ever since I realized the Flash Settings panel doesn’t do a damn thing—I’ve kept the following OS 10.5.6. User folders locked, to no ill effects whatsoever:

    ~/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys

    and ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/{folder}

    No more crap to empty.

  • Spade

    @ Zo (and others),

    I’m on Mac OS X, and I too had first used Flash settings to deny sites from writing out Flash cookies, then (after discovering how useless that was) I locked the “~/Library/Preferences/Macromedia/Flash Player” folder to forcibly prevent changes.

    However, I kept running into sites where Flash video wouldn’t play in any browser. As Wladimir has (repeatedly!) pointed out here, simply preventing Flash from being able set its cookies (regardless of how you do it) breaks functionality on too many sites.

    So instead, taking a cue from the reply to #7 above, I wrote a bash script containing the line “rm -rf ~/Library/Preferences/Macromedia/Flash\ Player” (without the quotes), and set it to run every five minutes using the excellent open-source Lingon program (http://tuppis.com/lingon/).

    This accomplishes the same thing under OS X that Wladimir’s scheduled script accomplishes under Windows (except that mine deletes just the Flash Player folder, rather than the entire Macromedia folder). Since doing this, I no longer have trouble with Flash video sites.

  • Nietzsche

    Consider using removed name of $25 commercial application to replace the simple and absolutely free script in this blog post “Adobe cookies” is the last menu item in the program.

    Links removed

  • Andy

    Hi Wladimir thanks a lot for the script.

    It took me a while to get it working though as I was following the settings in your screenshots exactly.

    In the end I figured out it was the start in field causing problems, instead of:

    c:\scripts

    it should be:

    c:\scripts\

    This small change got the task manager correctly triggering the script for me.

  • WAP-Tek.tk

    @echo WAP-Tek’s flushflash.bat
    @echo i am not resposible for you IGNORING WARNINGs,,
    @echo LEARN TO HACK OR FAIL!
    @echo WAP-Tek.tk
    @echo .
    @echo WARNING read the contents of this “program” and edit it NOW
    @echo .
    @echo This file MUST be customized for you systems folder structure or
    @echo it WILL erase your system files by accident !!!
    @echo .
    @echo this is not guarenteed to work but
    @echo for a “safer” alternative you can block flash cookie creation,,
    @echo .
    @echo you can put a dummy file FOR each folder that shows sol files in it
    @echo place dummy files named after the sub-directorys listed as having
    @echo sol files , flash will fail to save anything because
    @echo it cannot understand that a file is not a directory
    @echo .
    @ECHO press [Ctrl] © to stop this NOW !!
    @echo .
    @echo or
    @pause

    @cd “C:\WINDOWS\Application Data\Macromedia\Flash Player”
    @dir /a
    @ECHO press [Ctrl] © to stop this NOW or
    @echo .
    @echo or
    @pause
    @deltree /Y .

    @cd “C:\WINDOWS\Application Data\Adobe\Flash Player\AssetCache”
    @dir /a
    @ECHO press [Ctrl] © to stop this NOW or
    @ECHO .
    @echo or
    @pause
    @deltree /Y .
    @cls
    @exit

    Wladimir Palant

    Just for your info: it is year 2009 and Windows 98 is “a little” out of fashion. Not to mention that your script does exactly the same thing as the one described in the blog post – but uses hardcoded paths and opens a console window / requests user action for no good reason.

  • wap-tek.tk

    well you are absolutly right,,,forgive me!

    my customers use mac, windows, linux, or “other” setups
    so i need something that will work in all setups or can be adapted to them

    i use 98 or what ever will stay out of my way while i work
    and can be reloaded with a minimum of time/effort
    i use bartpe, linux, QNX, etc to fix systems for a living
    95% xp or vista

    and the request for user action allows the user to
    fix the hard coded paths and is a CoverMyAss thing

    your script ,, does it work in 95 98 9x nt 2k xp vista?
    i am ignorant of the answer ,, mine requires a LFN command
    and can be used if altered for the system i put it on

  • Hmmmm

    Excuse me, but anyone know the settings manager?
    http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
    ?

    Flash player will never ask again

    Wladimir Palant

    At the expense of tons of websites that will stop working. Thanks for reading my blog post, particularly the second paragraph.

  • SurFurBob

    Hello Wladimir, I was just viewing your site and learning about Adblock Plus. I have checked your Blog and the top comment is about “ Getting rid of Flash Cookies”
    I left clicked on “ Change Flash Settings” and got the Adobe Settings Manager. Have you checked it lately?
    There IS a “ Never Allow Option” or doesn’t it do all you want?
    This is all new to me as I thought deleting Cookies did it all but after reading your Blog you have me worried.
    SurfurBob

    Wladimir Palant

    Yes, there is a “Never Allow” option – but last time I tried that one many websites refused to work and Flash started to ask me all the time whether I want to allow a website to store its data on my computer.

  • jre6

    A shell script for Linux to remove LSOs. Put the code in any text editor and save it. It requires to be executed on every user account. To delete LSOs from all user accounts, just replace the path in third line with /home/*/.macromedia/Flash_Player/#SharedObjects/* (not yet tested, may also require sudo)

    #!/bin/sh

    echo “This will delete all flash cookies from your user account”

    rm -r ~/.macromedia/Flash_Player/#SharedObjects/*

    exit

    #EOF.

  • laopa

    Hi,

    This is a really dumb question but as a newbie I have no idea how to copy/install and use your WSH script for Flash Cookies. I would very much like to use it, as these Flash Cookies and the other Macromedia individual web site alternative are driving me crazy. Can you please explain the basics for a 5 year old to make use of your great efforts here..

    I apologies again for my newbieness.

    laopa

    Wladimir Palant

    Then you should be better served with an extension like BetterPrivacy (https://addons.mozilla.org/addon/6623/).

  • laopa

    Hi,

    Thanks for getting back to me. I already have BetterPrivacy installed in Firefox.

    Since posting I search around a bit on the Internet and then, >highlighted the script in the box above > copied it and pasted it into notepad >saved it as a js file and > then copied pretty much what was on the the screens shots in your blog above. Did however make a sub folder in C:\Scripts\SubFolder and saved the js script to there and start > control panel > scheduled tasks > add scheduled task > followed your setting.

    Macromedia folder/directory in C:\Documents and Settings\XXXmeXXX\Application Data\Macromedia is gone and although BetterPrivacy shows FlashCookies when I shut down Firefox it complains that No Flash Cookies can be found so I guess it must be working.

    Have noticed another folder/directory listed under C:\Documents and Settings\Administrator\Application Data\Macromedia and not sure what to do with that? Renamed it by Adding ADMIN on the end of Macromedia i.e MacromediaAdmin but I will look into whether I should just delete it?

    Thanks for your efforts.

    laopa