How does Facebook manage the user session?

Question

I'm kind of intrigued on how Facebook manages the user session in their different web apps (Facebook and Messenger). When I enter the Messenger web app, it knows that I'm logged in Facebook and let me use the app. I want to know which tecnologies would let me achieve that (Redis maybe?) or how can they share the same session?

Answer 1

messenger.com makes an ajax request to facebook.com and gets the information if the user is logged in there or not.

Once you are authenticated in messenger.com, you have a new session which is independent of the facebook.com session.

The request which is made can be seen in the Network tab from the developer tools:

POST https://www.facebook.com/login/async_sso/messenger_dot_com/?dpr=1&__a=1

This endpoint allows messenger.com to make cross origin requests (because of this response header):

access-control-allow-origin: https://www.messenger.com

In the x-auth-result the information about your Facebook account is sent in base64, and it's parsed using JSON.parse(atob(...)).

For example, mine looked like this:

X-Auth-Result: eyJ1c2VyaWQiOi....sd1EifQ==

Then they do:

var n = m.getResponseHeader('X-Auth-Result');
if (n) {
    var o = JSON.parse(atob(n));
    c('Arbiter').inform('messengerdotcom_fb_session_info', o);
}

o will look like this, in my case:

{
    "userid": "1000....756",
    "name": "Ionică Bizău",
    "secret": "P0....r",
    "persistent": true,
    "initial_request_id": "AfU...lwQ"
}

And then, they finally can display your full name in the button.

When the user is not logged in, Facebook sends a userid: "0" back:

{
  "userid":"0",
  "initial_request_id":"A6...YOd"
}