What are the three cookie types by storage mechanism: standard HTTP cookies, Flash cookies (LSO), and Perma-Cookies?
Standard HTTP cookies are normal browser-stored text files; Flash cookies (LSOs) are harder to delete and cross-domain; Perma-Cookies are injected by ISPs into HTTP headers and can't be removed by the user.
* Cookie types by where they are stored. *
* How a standard HTTP cookie is set and returned. — Tizio, CC BY-SA 3.0, via Wikimedia Commons. *
| Type | Stored by | Key property |
|---|---|---|
| Standard HTTP cookie | Web server, in the browser | Auto-sent on every request; enables login, carts, personalization |
| Flash cookie (LSO) | Adobe Flash Player | Harder to delete, usable cross-domain |
| Perma-Cookie (ISP-level) | Internet Service Provider | ISP injects a unique identifier into the HTTP header |
The Perma-Cookie is the scariest: because the ISP adds the identifier in transit, it sits outside the browser entirely — clearing cookies or going incognito does nothing. The infamous Verizon "Supercookie" (2012–2015) did exactly this, leading to large fines for misuse.
Tip: Check cookies in DevTools (F12 > Application > Storage > Cookies) and inspect attributes like HttpOnly, Secure, and SameSite.
Go deeper:
HTTP cookie (Wikipedia) — cookie storage, attributes and supercookie/ISP-injection variants.