Facebook fixes cookie behavior after logging out

Facebook fixes cookie behavior after logging out

Summary: After denying allegations that it can track what you're doing online even if you log out of the social network, Facebook has changed how its cookies behave.

SHARE:

Facebook fixes cookie behavior after logging out. | Credit: fairytalefrosting

Photo credit: fairytalefrosting

Update: US congressmen ask FTC to investigate Facebook cookies.

Over the weekend, self-proclaimed hacker Nik Cubrilovic accused Facebook of tracking its users even if they log out of the social network. The company responded by denying the claims and offering an explanation as to why its cookies behave the way they do. Now, Cubrilovic says Facebook has made changes to the logout process, and detailed what each cookie is responsible for.

Facebook has five cookies that persist: datr, lu, p, L, and act. There are also two session cookies that persist after the logout procedure: a_user and a_xs. The former, which is the user's ID, is now destroyed on logout. This is the one Cubrilovic had the most issue with. Here is how Facebook describes it:

What you see in your browser is largely typical, except a_user which is less common and should be cleared upon logout (it is set on some photo upload pages). There is a bug where a_user was not cleared on logout. We will be fixing that today.

The datr cookie is set when a browser first visits facebook.com (except via social plugin iframes), and helps Facebook "identify suspicious login activity and keep users safe." The lu cookie is also set the first time a browser visits facebook.com and is used to identify the browser – it helps "protect people using public computers." The a_xs cookie is a string used to prevent cross-site scripting attacks – it serves to check the payload of any requests to the server.

These cookies uniquely identify the browser being used even after logout, and Cubrilovic says that you shouldn't worry about them, unless you can't take Facebook at its word that the purpose of these cookies is only for what is being described. Cubrilovic says the remaining cookies are not very interesting: "they set things like the language of your browser and device dimensions." He believes the most interesting cookie, a_user, now behaves as it should.

Here is his conclusion on the whole fiasco:

Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe.

It's important to note that Facebook did not previously say it was going to make changes. Both statements I received, from a Facebook engineer and from a Facebook spokesperson, were written as explanations of the process. While Cubrilovic says nothing about Facebook's insistence it does not track users (as far as we know, this is true), it appears he was right about the logout issue, because according to him, the social network has now fixed it. I have contacted Facebook to verify this.

Update: A spokesperson has replied but did not offer an official statement. Instead, he once again pointed me to a comment made on my article, this time from Facebook engineer Gregg Stefancik. Here is what he wrote:

I'm an engineer who works on these systems. I want to make it clear that there was no security or privacy breach. Facebook did not store or use any information it should not have. Like every site on the internet that personalizes content and tries to provide a secure experience for users, we place cookies on the computer of the user. Three of these cookies on some users' computers included unique identifiers when the user had logged out of Facebook. However, we did not store these identifiers for logged out users. Therefore, we could not have used this information for tracking or any other purpose. In addition, we fixed the cookies so that they won't include unique information in the future when people log out.

I asked if I could also get a PR statement (like I did last time), but was denied. "That is the statement," the spokesperson told me.

See also:

Photo credit: fairytalefrosting

Topics: Browser, Social Enterprise

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • RE: Facebook fixes cookie behavior after logging out

    I'm an engineer who works on these systems. I want to make it clear that there was no security or privacy breach???Facebook did not store or use any information it should not have. Like every site on the internet that personalizes content and tries to provide a secure experience for users, we place cookies on the computer of the user. Three of these cookies on some users' computers included unique identifiers when the user had logged out of Facebook. However, we did not store these identifiers for logged out users. Therefore, we could not have used this information for tracking or any other purpose. In addition, we fixed the cookies so that they won't include unique information in the future when people log out.
    wstef
    • RE: Facebook fixes cookie behavior after logging out

      @wstef Let us leave it to the official FB team to reply, then I will break their claims piece by piece. You are an engineer, please dont say anything that will make you or FB liable.
      prasanna_vps
    • RE: Facebook fixes cookie behavior after logging out

      @wstef
      Why should webelievee you? Facebook has a history of lying thats a fact. Idon'tt trust you as well, nothing here to say trust him



      Quote
      Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes
      End Quote

      That clearly says they are still tracking. And there are alot of "tracking cookies" cookies tthemselvesthemselfs from deletion so like i said why should we trust you.
      Stan57
    • RE: Facebook fixes cookie behavior after logging out

      @wstef How about not activating the gps on my android every time I open the app? How about not running FB in the background and activating gps while I'm not even using it?? Nevermind, I've already uninstalled it anyway.
      watching_you
  • So, Facebook tracks you online, even when logged out?

    Who do they think they are? Google?
    itpro_z
    • RE: Facebook fixes cookie behavior after logging out

      Yes.
      ScorpioBlue
  • RE: Facebook fixes cookie behavior after logging out

    This is more like "You guys found that we were tracking you, so we'll just say it was a 'bug' and pretend we 'fixed' it."
    Imrhien
  • RE: Facebook fixes cookie behavior after logging out

    All this talk about facebook tracking users, ZDnet also tracks
    it's users. This is a ZDnet cookie on my computer:

    region
    connectionspeed
    satellite
    regionconf
    metrocode
    countryconf
    country
    usa
    city
    atlanta
    cityconf
    citycode
    domain
    regioncode
    latitude
    longittude


    Is all this information needed just to read an article?
    Juniperbear
    • cookie abuse

      @Juniperbear the whole concept of cookies is to track you, where you go and what you do. Cookies have been abused since their inception by most companies that use them e.g facebook, google, microsoft etc. and yes zdnet is a cookie abuser too. the industry wants it this way and there is no one in government that understands the IT enough to step in and protect us. i have lobbied my local federal member for over 2 years to do something about this but unfortunatly she is largely IT illiterate and still doesn't understand the issue. the only real recourse left to us are groups like anonymous - a group of people who i neither like nor trust but who else is willing to help protect us ? zdnet ? not likely as they are part of the problem. (prove me wrong zdnet, prove me wrong)
      optyk
      • RE: Facebook fixes cookie behavior after logging out

        @optyk
        Can you please try to explain to me what your IT iliterate congresswoman doesn't understand? Specifically what type of abuse gets under your skin?
        pauld3853
    • Just run CCleaner...

      ...after viewing this if it worries you.

      zdnet spyware be gone!
      ScorpioBlue
    • RE: Facebook fixes cookie behavior after logging out

      @Juniperbear
      NOPE, but then it isn't designed for our intention, it is designed for THEIRS!
      declutterbug51
  • RE: Facebook fixes cookie behavior after logging out

    good post ,thanks for your sharing .welcome to <a href="http://www.weddingdressonlineshop.com.au">wedding dresses</a> online shop.
    findway
  • RE: Facebook fixes cookie behavior after logging out

    If you believe Facebook is being honest, I have a ski villa in Texas for sale.
    12stringer1975