Facebook cookies work even after leaving the site
Among the latest innovations on Facebook is the publication of status on the social network about visited pages, even if the user did not click the Like button. Thus, information about his actions may become public without his knowledge and, possibly, without his desire. Some famous people are scared by this opportunity, so they recommend logging out with Facebook before visiting other sites.
But it turns out that the problem is much deeper. The fact is that some Facebook cookies live even after leaving the site, so that Facebook can monitor the actions of the user and update his statuses.
Security specialist Nik Cubrilovic shows which cookies are set when logging in to facebook.com.
And which are removed when logging out. As you can see, not all cookies that were set are deleted, and some cookies ( locale and lu ) are simply assigned a new expiry date, plus when you exit the site three more new cookies are set ( W, fl, L ). As a result, even after logging out on Facebook, cookies send information, including identification data. Here is an example request as logged out user. That is, at any time when a user visits a page with a Like button or any other Facebook button, this information is sent to Facebook.
Thus, a reliable way to avoid “tracking” is to completely delete facebook.com cookies and no longer access the site, as an option, configure the appropriate filters in AdBlock or similar programs.
But it turns out that the problem is much deeper. The fact is that some Facebook cookies live even after leaving the site, so that Facebook can monitor the actions of the user and update his statuses.
Security specialist Nik Cubrilovic shows which cookies are set when logging in to facebook.com.
Cookie:
datr=tdnZTOt21HOTpRkRzS-6tjKP;
lu=ggIZeheqTLbjoZ5Wgg;
openid_p=101045999;
c_user=500011111;
sct=1316000000;
xs=2%3A99105e8977f92ec58696cf73dd4a32f7;
act=1311234574586%2F0
And which are removed when logging out. As you can see, not all cookies that were set are deleted, and some cookies ( locale and lu ) are simply assigned a new expiry date, plus when you exit the site three more new cookies are set ( W, fl, L ). As a result, even after logging out on Facebook, cookies send information, including identification data. Here is an example request as logged out user. That is, at any time when a user visits a page with a Like button or any other Facebook button, this information is sent to Facebook.
Set-Cookie:
_e_fUJO_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
c_user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
fl=1; path=/; domain=.facebook.com; httponly
L=2; path=/; domain=.facebook.com; httponly
locale=en_US; expires=Sun, 02-Oct-2011 07:52:33 GMT; path=/; domain=.facebook.com
lu=ggIZeheqTLbjoZ5Wgg; expires=Tue, 24-Sep-2013 07:52:33 GMT; path=/; domain=.facebook.com; httponly
s=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
sct=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
W=1316000000; path=/; domain=.facebook.com
xs=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Cookie:
datr=tdnZTOt21HOTpRkRzS-6tjKP;
openid_p=101045999;
act=1311234574586%2F0;
L=2;
locale=en_US;
lu=ggIZeheqTLbjoZ5Wgg;
lsd=IkRq1;
reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Findex.php%3Flh%3Dbf0ed2e54fbcad0baaaaa32f88152%26eu%3DJhvyCGewZ3n_VN7xw1BvUw;
reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Findex.php%3Flh%3Dbf0ed2e54fbcad0b1aaaaa152%26eu%3DJhvyCGewZ3n_VN7xw1BvUw
Thus, a reliable way to avoid “tracking” is to completely delete facebook.com cookies and no longer access the site, as an option, configure the appropriate filters in AdBlock or similar programs.