Monday, September 26, 2011

Logging Out of Facebook Is Not Enough

Nik Cubrilovic:

But logging out of Facebook only de-authorizes your browser from the Web application, a number of cookies (including your account number) are still sent along to all requests to Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.


There are serious implications if you are using Facebook from a public terminal. If you login on a public terminal and then hit ‘logout’, you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser. Associating an account ID with a real name is easy—as the same ID is used to identify your profile.

There’s a response from a Facebook engineer in the comments. I mainly use Safari, but I have OmniWeb configured as as “secure” browser that doesn’t store any cookies between launches.

Update (2011-09-27): Nik Cubrilovic:

Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though.

Comments RSS · Twitter

Leave a Comment