Facebook Cookies Analysis

Image for post
Image for post

In this post let’s see what are some of the important cookies Facebook maintains to track user sessions, chat sessions, third-party application sessions, analytics etc.

Facebook maintains many cookies for multiple purposes, it is not feasible as part of this report to identify and analyse the purpose of every single cookie. So, in this post let’s only focus on some of the important cookies present currently (at the time the post is written).The information provided below is correct at the time of writing but is subject to change over time.

The number stored of cookies varies depending upon some of the following parameters.

  • Facebook user, User is registered and logged-in
  • Facebook user, User is logged-out
  • Non Facebook user, User is not registered or logged-in but access https://www.facebook.com/
  • Facebook user, User is logged into Facebook and access other websites using Facebook plugin.

There can be more scenarios to other than the ones mentioned above.

When the user is not a Facebook user and accesses Facebook without logging-in, Facebook stores 4 cookies.

For a logged-in user Facebook stores the following cookies.

  • “act”
  • “c_user”
  • “datr”
  • “fr”
  • “presence”
  • “sb”
  • “spin”
  • “wd”
  • “xs”

If the user is logged-out recently and again logged-in in addition to the above cookies there will be the “locale” cookie as well.

Let’s see the roles played by each of these cookies.

“act”

This cookie is used to distinguish between two sessions for the same user, created at different times.

The value contained in the act cookie has been verified to be consistent with the time and date at which test logins were performed.

The lifetime of this cookie is dependent on the status of the ‘keep me logged in’ checkbox. If the ‘keep me logged in checkbox is set, the cookie expires after 90 days of inactivity. If the ‘keep me logged in’ checkbox is not set, the cookie is a session cookie.

Send over HTTPS only
Domain => “.facebook.com”
Expires when the browser session ends.

“c_user”

The lifetime of this cookie is dependent on the status of the ‘keep me logged in’ checkbox. If the ‘keep me logged in’ checkbox is set, the cookie expires after 90 days of inactivity. If the ‘keep me logged in’ checkbox is not set, the cookie is a session cookie and will therefore be cleared when the browser exits.

Send over HTTPS only
Domain => “.facebook.com”
Expires approximately in 3 months from the creation date (if Remember Me option is set) / Expires when the browser session ends.

“datr”

The datr cookie generation and setting code has been reviewed and it has been confirmed that the execution path followed in the case of a request for social plugin content does not set the “datr” cookie.

The lifetime of the “datr” cookie is currently two years.
This is a persistent cookie.

Send over HTTPS only
Domain => “.facebook.com”
Expires in 2 years from the creation time.

“fr”

Send over HTTPS only
Domain => “.facebook.com”
Expires approximately in 3 months from the creation time.

“presence”

Send over HTTPS only
Domain => “.facebook.com”
Expires when the browser session ends.

“sb”

Send over HTTPS only
Domain => “.facebook.com”
Expires in 2 years from the creation time.

“spin”

Send over HTTPS only
Domain => “.facebook.com”
Expires in 1 day and 1 hour from the creation time.

“wd”

The wd cookie is a session cookie.

Send over HTTPS only
Domain => “.facebook.com”
Expires in 1 week from the creation time.

“xs”

  • The first value is an up to two-digit number representing the session number.
  • The second portion of the value is a session secret.
  • The third, optional component is a ‘secure’ flag for if the user has enabled the secure browsing feature.

The lifetime of this cookie is dependent on the status of the ‘keep me logged in’ checkbox. If the ‘keep me logged in’ checkbox is set, the cookie expires after 90 days of inactivity. If the ‘keep me logged in’ checkbox is not set, the cookie is a session cookie.

Send over HTTPS only
Domain => “.facebook.com”
Expires approximately in 3 months from the creation date (if Remember Me option is set) / Expires when the browser session ends.

“locale”

This cookie appears to only be set after the user logs out.

The locale cookie has a lifetime of one week

Send over HTTPS only
Domain => “.facebook.com”
Expires in 1 week from the creation time.

In addition to these cookies there are some other cookies like “EagleEye” cookies which begin with the characters “_e_”.

The cookie names consist of “_e_” followed by a four character random string, followed by an underscore and then an incrementally increasing number, starting at zero.

For example,
_e_gh2c_0, _e_gh2c_1, _e_gh2c_2, etc.

These cookies are generated by Javascript and used to transmit information to Facebook about the responsiveness of the site for the user.

These are some of the main cookies that are in play when you are accessing Facebook. Apart from these there are many other cookies as well set according to the use cases.

Thank you for reading! Kindly provide your feedback for improvement.

Written by

Software Engineer @ WSO2, B.Sc.Computer Engineering

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store