Websites can store information inside the browser.
The best-known mechanism is cookies. There are also storage areas such as and . They are used to store login state, settings, carts, identifiers, and app data.
They are convenient mechanisms, but for anonymity, they become strong correlation clues.
Even if you change your IP address, if the same cookie is sent, you are treated as the same browser. Even if you use a or , activity can still connect if you use the same storage area as your real-name environment.
This article organizes how storage areas inside the browser relate to anonymity. Details are covered in "Differences between cookies, sessionStorage, and localStorage."
Storage areas inside the browser
s, localStorage, and IndexedDB are mechanisms websites use to store information on the browser side.
Storage area
Main uses
Anonymity caution
Cookie
Login state, sessions, identifiers
Sent during requests
localStorage
Settings, simple data
Used from JavaScript
IndexedDB
Larger app data
Web app information remains
sessionStorage
Temporary storage per tab
State remains during the session
Cache
Images and scripts
Becomes a clue to browsing history
These make the Web convenient.
However, as long as you keep using the same browser, behavior becomes easier to connect over time.
Why this becomes a problem for anonymity
For anonymity, the problem is that actions by the same user become linked.
Cookies and localStorage create that link. For example, after viewing a site from your home IP, if you access the same site through a VPN but the same cookie is sent, it is recognized as the same browser.
Situation
What happens
Problem for anonymity
Changing only the IP
The same cookie is still sent
It is clear that this is the same browser
Anonymous browsing after real-name login
Storage areas remain
Behavior connects with the real-name environment
Multiple accounts in the same browser
Stored states mix
Account separation breaks
Using a Web app
Data remains in IndexedDB
Past use remains
Cache remains
Revisited pages or viewed items remain
It becomes a trace on the device
VPNs and Tor change how the communication route appears.
Storage areas inside the browser are a separate issue.
When deleting cookies is not enough
Deleting cookies is useful.
However, if localStorage, IndexedDB, cache, service workers, or related site data remain, Web app state may remain.
What remains
Content
Caution
localStorage
Site settings or identifiers
May not disappear by deleting only cookies
IndexedDB
Web app data
Large amounts of information remain
Cache
Retrieved files
Becomes a trace of browsing or use
Service Worker
Offline processing and notifications
May keep site functions active in the browser
Login state
Service-side session
Does not stay entirely within the browser
For anonymous activity, it is important to separate the real-name browser and anonymous browser.
A design that does not mix them is more stable than handling it by deletion every time.
What to check
When handling storage areas inside the browser, think about what not to mix before thinking about what to delete.
Check item
Reason
Whether you separated browsers for real-name use and anonymous use
Avoid mixing storage areas
Whether you are using the same site with real-name and anonymous identities
Avoid account correlation
Whether you checked storage areas other than cookies
localStorage and IndexedDB remain
Whether you separated browser profiles
Also separate extensions and history
Whether you kept Tor Browser's standard settings
Avoid making yourself stand out through custom settings
For high-risk activity, consider separating not only the browser but also the OS user, device, and communication route.
Prioritize separation over deletion
Cookies and storage areas can also be deleted.
However, a process that requires perfect deletion every time is fragile. Forgotten deletion, logging in again, storage areas for other sites, sync settings, and similar factors cause mixing.
Method
Benefit
Caution
Delete every time
Easy to start
Forgotten deletion or missed targets happen
Separate browser
Makes real-name and anonymous use easier to separate
Separate extensions and settings too
Separate profile
Can separate within the same browser
Requires a clear habit to avoid opening the wrong one
Tor Browser
Designed to reduce storage and identification
Do not change standard settings
Separate device
Allows strong separation
Management cost increases
For low risk, profile separation may be enough in some cases.
For high risk, consider separating the device or OS too. What matters is deciding how much separation you need based on the threat model.
Common mistakes
Failures around browser storage areas happen during familiar routines.
Mistake
What happens
Posting anonymously from the usual browser
Mixes with real-name cookies and history
Only turning on a VPN
Cookies are still sent unchanged
Feeling safe after only logging out
localStorage and IndexedDB remain
Using the same extensions
The browser environments become similar
Not turning off cloud sync
History and settings spread across devices
For anonymity, check the communication route and the state inside the browser at the same time.
Basic policy for anonymous activity
For handling cookies and storage areas, make "do not mix" the basic rule rather than "delete."
Once you decide on a browser for anonymous activity, do not use real-name services in that browser. Do not use anonymous accounts in the real-name browser. Separate cloud sync and password sync too. This simple rule becomes a strong countermeasure over the long term.
Policy
Meaning
Separate uses
Do not mix real-name use and anonymous use
Check sync
Do not spread history or settings to other devices
Separate logins
Avoid account correlation
Regularly check storage areas
Do not leave unnecessary data
For high risk, separate devices too
Do not rely only on browser separation
Summary
Cookies, localStorage, and IndexedDB are mechanisms websites use to store information in the browser.
They are convenient features, but for anonymity, they become clues that link actions by the same browser.
Even if you change your IP address, if the same cookies or storage areas remain, you may be treated as the same browser or environment.
For anonymity, think about the communication route and browser storage areas separately.
It is important not to mix real-name and anonymous environments, and to use a dedicated browser or dedicated profile as needed.
Related tools
WebRTC Leak Test
BrowserLeaks WebRTC
An external resource related to this article. Open it only when it fits your situation and threat model.
Why it is listed: It can help with the article topic, but it is outside Anonymity Sense and should be checked before use.