Facebook Cookies Analysis

Seralahthan
5 min readMar 14, 2019

--

In this post let’s see what are some of the important cookies Facebook maintains to track user sessions, chat sessions, third-party application sessions, analytics etc.

Facebook maintains many cookies for multiple purposes, it is not feasible as part of this report to identify and analyse the purpose of every single cookie. So, in this post let’s only focus on some of the important cookies present currently (at the time the post is written).The information provided below is correct at the time of writing but is subject to change over time.

The number stored of cookies varies depending upon some of the following parameters.

  • Facebook user, User is registered and logged-in
  • Facebook user, User is logged-out
  • Non Facebook user, User is not registered or logged-in but access https://www.facebook.com/
  • Facebook user, User is logged into Facebook and access other websites using Facebook plugin.

There can be more scenarios to other than the ones mentioned above.

When the user is not a Facebook user and accesses Facebook without logging-in, Facebook stores 4 cookies.

For a logged-in user Facebook stores the following cookies.

  • “act”
  • “c_user”
  • “datr”
  • “fr”
  • “presence”
  • “sb”
  • “spin”
  • “wd”
  • “xs”

If the user is logged-out recently and again logged-in in addition to the above cookies there will be the “locale” cookie as well.

Let’s see the roles played by each of these cookies.

“act”

The act cookie contains a unix timestamp value (The value is defined as the number of seconds elapsed since midnight UTC of January 1, 1970, not counting leap seconds) representing the time at which the user logged in.

This cookie is used to distinguish between two sessions for the same user, created at different times.

The value contained in the act cookie has been verified to be consistent with the time and date at which test logins were performed.

The lifetime of this cookie is dependent on the status of the ‘keep me logged in’ checkbox. If the ‘keep me logged in checkbox is set, the cookie expires after 90 days of inactivity. If the ‘keep me logged in’ checkbox is not set, the cookie is a session cookie.

Send over HTTPS only
Domain => “.facebook.com”
Expires when the browser session ends.

“c_user”

The c_user cookie contains the user ID of the currently logged in user.

The lifetime of this cookie is dependent on the status of the ‘keep me logged in’ checkbox. If the ‘keep me logged in’ checkbox is set, the cookie expires after 90 days of inactivity. If the ‘keep me logged in’ checkbox is not set, the cookie is a session cookie and will therefore be cleared when the browser exits.

Send over HTTPS only
Domain => “.facebook.com”
Expires approximately in 3 months from the creation date (if Remember Me option is set) / Expires when the browser session ends.

“datr”

The purpose of the datr cookie is to identify the web browser being used to connect to Facebook independent of the logged in user. This cookie plays a key role in Facebook’s security and site integrity features.

The datr cookie generation and setting code has been reviewed and it has been confirmed that the execution path followed in the case of a request for social plugin content does not set the “datr” cookie.

The lifetime of the “datr” cookie is currently two years.
This is a persistent cookie.

Send over HTTPS only
Domain => “.facebook.com”
Expires in 2 years from the creation time.

“fr”

Noticed this cookie is being used by Facebook. But not sufficient information on the use of this cookie.

Send over HTTPS only
Domain => “.facebook.com”
Expires approximately in 3 months from the creation time.

“presence”

The presence cookie is used to contain the user’s chat state.
For example, which chat tabs are open. This cookie is a session cookie.

Send over HTTPS only
Domain => “.facebook.com”
Expires when the browser session ends.

“sb”

Noticed this cookie is being used by Facebook. But not sufficient information on the use of this cookie. This is a persistent cookie.

Send over HTTPS only
Domain => “.facebook.com”
Expires in 2 years from the creation time.

“spin”

Noticed this cookie is being used by Facebook. But not sufficient information on the use of this cookie.

Send over HTTPS only
Domain => “.facebook.com”
Expires in 1 day and 1 hour from the creation time.

“wd”

This cookie stores the browser window dimensions and is used by Facebook to optimise the rendering of the page.

The wd cookie is a session cookie.

Send over HTTPS only
Domain => “.facebook.com”
Expires in 1 week from the creation time.

“xs”

This cookie contains multiple pieces of information, separated by colon (colon is encoded to the value %3A for transmission).

  • The first value is an up to two-digit number representing the session number.
  • The second portion of the value is a session secret.
  • The third, optional component is a ‘secure’ flag for if the user has enabled the secure browsing feature.

The lifetime of this cookie is dependent on the status of the ‘keep me logged in’ checkbox. If the ‘keep me logged in’ checkbox is set, the cookie expires after 90 days of inactivity. If the ‘keep me logged in’ checkbox is not set, the cookie is a session cookie.

Send over HTTPS only
Domain => “.facebook.com”
Expires approximately in 3 months from the creation date (if Remember Me option is set) / Expires when the browser session ends.

“locale”

This cookie contains the display locale of the last logged in user on this browser.

This cookie appears to only be set after the user logs out.

The locale cookie has a lifetime of one week

Send over HTTPS only
Domain => “.facebook.com”
Expires in 1 week from the creation time.

In addition to these cookies there are some other cookies like “EagleEye” cookies which begin with the characters “_e_”.

The cookie names consist of “_e_” followed by a four character random string, followed by an underscore and then an incrementally increasing number, starting at zero.

For example,
_e_gh2c_0, _e_gh2c_1, _e_gh2c_2, etc.

These cookies are generated by Javascript and used to transmit information to Facebook about the responsiveness of the site for the user.

These are some of the main cookies that are in play when you are accessing Facebook. Apart from these there are many other cookies as well set according to the use cases.

Thank you for reading! Kindly provide your feedback for improvement.

--

--

Seralahthan

Consultant - Integration & CIAM | ATL@WSO2 | BScEng(Hons) in Computer Engineering | Interested in BigData, ML & AI