Adventures with Facebook’s session cookie

Jasmeet Singh
Sep 20, 2019 · 5 min read
Photo by Olia Gozha on Unsplash

As we all know, our session information is stored in the cookies 🍪 . Let’s begin by taking a look at what cookies are stored by facebook. For manipulating cookies i’ll be using EditThisCookie chrome extension, make sure you enable the extension in incognito mode as well.

Open up facebook in incognito window and take a look at the cookies using EditThisCookie. Since we are initially logged out, none of these cookies correspond to session specific data. Now open up a normal chrome window and log in to facebook and you’ll notice that now we have a few more cookies added to the list

Cookies (logged out state — left), Cookies (logged in state — right)

Who sets these cookies?

Log out of facebook, open up chrome dev tools, click on preserve logs and login again. If you take a look at the response headers for the login call in network requests, you’ll notice that in case of a successful login we receive a set-cookie header for c_user as well as for xs, this tells the browser to set this information in the cookies and attach this information to all the future requests. This way once we log in, all the future requests (except the ones requesting public assets) will have the session information. Thats how session state is added to a rather stateless REST architecture.
Also, do note that in the response headers xs is set as a httponly cookie.

Try running in the console of a logged in facebook window and you’ll notice that you are able to see c_user but xs cookie is not accessible via the command. If you try to toggle the httponly flag on xs cookie via EditThisCookie and save it, you’ll notice that document.cookie now outputs the xs cookie as well (do remember to toggle it back on 😉).

💡 Adding c_user and xs cookies is all it takes to tell the facebook servers that you are logged in.

Make sure you have a logged in facebook window and one fresh incongnito window with logged out facebook page. In the incongnito window, click on EditThisCookie extension to add two new cookies, name the first one c_user and the second one xs. Copy and paste the values for each from the logged in window, save them and hit refresh. You’ll be logged in.

Can we try Man in the middle attack (MITM) to get the value of c_user and xs cookies?
Since all session specific future requests after a successful login contain the c_user and xs cookie, can we just sit in the middle and intercept the network calls to access these cookies? Well, the answer is no and the reason is pretty straightforward, facebook operates over https which ensures that all the data sent over the network is ssl encrypted, including the headers.
Even if you as an attacker force facebook to work over http, c_user and xs cookies have secure flag switched on which ensures that these cookies will work only over https, this adds to the security.

Let’s try Brute Force 💪

As you might know, facebook has a where you can try to reset the password via one time code which is sent to email or mobile. It is a 6 digit code which means we could try forcing our way in by exhausting all 1 million combinations using a script, but this doesn’t work because facebook blocks this action after some 10–20 attempts.

💡What if we try to brute force the xs cookie for a particular c_user

Looking at the image below, when i send a get request without headers, i receive the log in page where (used for notifications) does not exist and once i send the c_user and xs in headers, i go to the home page.

The format for xs cookie is as follows [Refer]

c: character including special characters
d: digit [0–9]

The timestamp is 10 digits long as compared to the one we see when we run new Date().getTime() which is the time in milliseconds.
As soon as you log in, Facebook validates the request and stores the login time upto seconds precision (in form of a 10 digit timestamp). This timestamp is attached to the xs cookie.

If we were somehow able to apply some heuristics for the login time, we are still left with 15 characters and 2 digits which amount to ~100 * 256¹⁵ combinations (if you know the timestamp precisely!).

You could ideally try to brute force it by jumping proxies but it will take eternity before you hit the correct xs value.

I’ll end this article by hoping that you found it interesting (consider sharing it in that case!), If i have missed something somewhere or you have something to add please do post it in the comment.

Keep reading, keep learning!

The Startup

Get smarter at building your thing. Join The Startup’s +788K followers.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Jasmeet Singh

Written by

Software engineer, Web enthusiast, Gamer

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +788K followers.

Jasmeet Singh

Written by

Software engineer, Web enthusiast, Gamer

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +788K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store