Today we will focus on the Facebook security setting that deals with Active Sessions. Each time you log in to Facebook, a “session” is started, and certain information is recorded: date, time, approximate location, and device being used to log in. Note that the word “approximate” could really be replaced with “best guess at” for reasons we’ll discuss below. Now, unless you physically log OUT of a session, it will remain open for quite some time. And each device that you use (phone, tablet, computer) will result in a new session being started, again for reasons we’ll discuss in a moment.
So… it’s quite possible for any one Facebook user to have several, even dozens, of sessions open at the same time. Don’t believe it? Why not check your account right now? Simply click the little drop-down arrow in the upper right corner of your (computer) screen, then click “Account Settings”.
Next, click “Security” on the left hand side of the next screen. The last setting will be Active Sessions, and will show where you are currently logged in, as well as the number of other active sessions currently associated with your account.
Click the Edit button to the right, and voila! There are all your Active Sessions, displayed for your enlightenment. Surprised? I was, the first time I looked, particularly when one of my locations was Joplin, and another Tulsa, OK. So, how do we account for all of these sessions?
When you sign in to Facebook, a small text file called a “cookie” is placed in your browser’s cache by Facebook’s software. Each physical device you use receives its own cookie. This cookie identifies you to Facebook, and remains until you log out, at which time the software automatically deletes it. Guess what happens when you close your browser without logging out? The cookie stays. And stays. A little checking shows that the cookie will not expire by itself for TWO years. For the tech-oriented, even clearing your browser cache (and thus deleting the cookie from your system) will not close a session. In fact, there are only two ways that you can close an active session.
The first, obviously, is by logging out of Facebook each time you open it, from each device that you use. Not just closing your browser or app, but actually clicking or tapping the words “Log Out”. Of course, logging out means you’ll have to log back in every time you need to use Facebook, and who wants to do that? To be truly security-conscious, you should, especially if you have logged in from a public location via wi-fi. But there is another, easier way — simply do as we have already done to pull up your Active Sessions, then click “End Activity” next to each session.
This method is actually more secure than simply logging out, as it allows you to monitor your log-in locations as well, and identify anything that looks suspicious. As we’ve discussed (and will do further shortly), location accuracy can be hit-and-miss, but if you notice a session that says your location is Papua, New Guinea, or something equally ridiculous, you can safely assume that your account has been hacked. End that session, and immediately change your Facebook password.
Now, a friend of mine who lives in NYC recently updated her status, and Facebook displayed her location as New Brunswick, CAN — roughly 600 miles away as the crow, or Canada goose, flies. Not very accurate, true, but probably not an indication of a hacked account. So, how did that happen? Facebook approximates location through your device’s IP address (a unique set of numbers that identifies each device attached to a network), and, as it happens, there are many factors that can affect your IP.
Let’s start with the obvious: mobile. When you log in to Facebook from your smartphone (over your cell network, not wi-fi), your signal is picked up by the closest tower, and, depending on cell traffic at the time, could be routed through several other towers until it is officially logged. Which means your location could be pegged incorrectly by a wide margin. Example: My cell phone, on the desk next to me, currently shows as logged in to Facebook from Olathe, KS!
Next, consider wi-fi. Of course, if you’re logging in from a restaurant halfway across town, the session that results should still show the same city name, right? Not necessarily. Think about this — if the restaurant is part of a chain, and the chain franchise controls all of its network traffic by routing T-1 lines (big data pipes) from a central location… then your log-in at Panera in Springfield could show you as being in St. Louis! That’s just an example for illustration purposes — I have no idea if Panera’s data goes through StL. 🙂
Okay, but what about the good old PC sitting at my house, connected to my cable company’s network — that will always be accurate, right? Not so fast! My own IP address changes two or three times a year, solely due to network updates by my Internet access provider. And oftentimes when such changes occur, the location assigned to a particular IP isn’t updated in the system right away, and could reflect another locale altogether, even one that is hundreds of miles away! I would guess that is the likely cause for the sudden displacement of my New York friend.
If you’re curious, you can mouse-over each location in your Active Sessions list to see what the IP address is for each. And yes, you should monitor your sessions on a routine basis, and end those that are not actually being actively used. Remember to always log out of Facebook (or any other app, for that matter) if you have logged in from a public wi-fi location. If you see anything that you feel isn’t right, change your Facebook password — it’s always better to be safe than sorry (and you should change it regularly, anyway).
That’s it for this post! Sorry for the incredible length, and thank you if you have read this far. We’ll return next time with another post that’s more concerned with privacy than security. (And a new look for the blog!) In the meantime, Happy Thanksgiving from Diamond Mind Web Design!