As for Microsoft getting caught with its hand in the zombie cookie jar, the company was quick to disavow the behavior, as Computerworld reported. Mike Hintz, Microsoft's associate general counsel, said, "We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued."
Mayer found two zombielike mechanisms, both implemented by a script called wlHelper.js. By design, wlHelper.js is supposed to make it possible for Microsoft to track a user across several different Microsoft domains. There's nothing particularly fattening, illegal, or immoral about that -- but making the cookies persistent put Microsoft's behavior in a decidedly gray area.
The first approach creates a cookie, then sticks a copy of the cookie along with wlHelper.js in the browser's cache. If the user deletes the cookie but doesn't clear the browser cache, wlHelper.js jumps back and re-creates the cookie.
The second approach, called ETags, uses a clever trick to store the cookie in the browser cache by having the cache store a bogus version number, which can be subsequently retrieved. Once again, if the user deletes the cookie but doesn't clear the browser cache, wlHelper.js is smart enough to retrieve the old cookie from the bogus version number. According to Mayer, this technique was first observed in the wild just two weeks ago.
Mayer found copies of wlHelper.js in these sites:
If you visited one of those sites, wiped out your cookies, and then visited another, your cookies came back.
This story, "'Zombie cookies' just won't die: Microsoft admits use, and HTML5 looms as new vector," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.