That's a pretty ingenius hack. More limited in use than a real cookie (real cookies are sent along with every request; even for images etc), but still pretty cool.

IIRC this was on Hacker News less than a week ago. 4 points for simply repeating it? I'm startled.

It was on HN. but the title was only panopticlick, so I figured people may have skipped over it, and it's relevant to this conversation.

Startled, yeah. I know, four whole points. I almost stopped breathing...

Perhaps a simple fix at browser level would be to treat cached files with future etags like cookies, clearing or ignoring them with the same policy.

Its a genius trick though.

It's neat, but it's not a new idea. http://sourcefrog.net/projects/meantime/

Chrome's incognito window shields you from this attack - it starts you off with a fresh set of history/cache/cookies every time you start it up.

It's not an attack.

But you still get the same flash cookies, which are persisted across browsers.

like FF's private browsing, I suppose.

This could be defeated easily by a good, old-fashioned web proxy. Other than that, or blacklisting, there's no efficient way around it. Wow.

one purpose is webtracking, especially in the affiliatemarketing niche, which "suffers" from cookie deletion because the cookiebased-tracking then does not recognize visitors and thus affiliates don't get paid... fingerprint methods are another alternative, although less precise and more difficult to implement.

Wow. No javascript required, cookies turned off, just the browser cache and he will find you and hunt you down.

The only thing missing is purpose.

I guess once you can tell who is who, you can start targeted marketing.

Or collect data on people. Likely only a matter of time until you can build up a complete record, including name, address, social security number.

And for users who disable caching?

And for users who disable cookies?

Very clever. Props for creativity and originality.