Importing Facebook cookies into Multilogin without triggering review
Importing Facebook cookies into Multilogin without triggering review
If you manage Facebook ad accounts or pages at any real volume, you have probably hit the wall where logging in fresh from a new Multilogin profile immediately triggers a security checkpoint. Facebook sees a new browser fingerprint, a different IP than last session, and an unusual login pattern, and it locks the account for review before you have typed a single character. This is not a bug in Multilogin. it is Facebook’s device intelligence doing exactly what it is designed to do.
The workaround most operators use is cookie import: you extract an active session’s cookies from a warm browser, load them into a Multilogin profile that already has matching fingerprint settings, and resume the session without a fresh login event. Done correctly, Facebook never sees a “new device login.” it sees the same session continuing on a browser that looks consistent with prior visits. done wrong, you get a 2FA prompt, a photo ID request, or a shadowban on the ad account.
This tutorial is for operators running 5 to 500 Facebook profiles, whether that is for media buying, agency account management, or page administration. i will walk through the exact steps, the file formats, the proxy alignment requirements, and the mistakes that trip up most people at scale.
What you need
- Multilogin X (latest version, currently priced from $99/month for the Solo plan as of May 2026) or Multilogin 6 if you are still on the legacy stack
- EditThisCookie (Chrome extension) or Cookie-Editor (Firefox/Chrome) for extracting cookies from a live session
- A Facebook account that is currently active and not under review, logged in from a stable residential or mobile proxy IP
- A proxy that matches the geography and carrier of the original session. if the cookies were generated on a US residential Oxylabs IP, your Multilogin profile must use the same or a closely matched IP range
- Python 3.8+ if you want to automate cookie format conversion (optional but useful at scale)
- A cookie file in either Netscape format (.txt) or JSON format, depending on your Multilogin version
Rough cost baseline: Multilogin Solo at $99/month, residential proxy bandwidth at $8-15/GB depending on provider, and cookie extraction tools are free. Budget $20-30/month per 10 active profiles for proxy costs if you are rotating IPs correctly.
Step by step
Step 1: Log in to Facebook from the source environment
Before you export anything, make sure the account you are extracting cookies from is in a healthy state. log in normally from the IP and browser you intend to mirror. let the session sit for 2-3 minutes. scroll the feed, visit the page or ad account you manage. this generates the full set of session signals that Facebook expects.
Do not extract cookies immediately after a fresh login. Facebook sets several cookies asynchronously, including fr and xs, and extracting too fast gives you an incomplete set.
If it breaks: if the account is already in a checkpoint state when you open it, do not extract from this session. resolve the checkpoint first from its original browser and IP, then re-export.
Step 2: Extract cookies using Cookie-Editor
With the Facebook tab active, open Cookie-Editor (or EditThisCookie). click “Export” and select JSON format. copy the output to a .json file.
The minimum set of cookies Facebook needs to maintain a session:
| Cookie name | Purpose |
|---|---|
c_user |
User ID |
xs |
Session token |
datr |
Browser identifier |
sb |
Browser fingerprint |
fr |
Ad targeting token |
If any of these are missing from your export, the import will not hold a session. datr in particular is a long-lived cookie (2 years by default per RFC 6265 cookie persistence rules) and Facebook relies on it heavily for device recognition.
If it breaks: if Cookie-Editor shows fewer than 10-15 cookies for facebook.com, you likely have a cookie-blocking extension active. disable uBlock Origin or Privacy Badger for the export session.
Step 3: Create the Multilogin profile with matching fingerprint
In Multilogin, create a new profile. set the browser type to match the source browser (Chrome if you extracted from Chrome, Firefox if Firefox). under the proxy settings, enter the same IP or IP pool used for the original session.
The fingerprint settings that matter most for Facebook:
- User-Agent: match the exact UA string from the source browser. you can get this by typing
navigator.userAgentin the browser console. - Screen resolution: match the source machine’s resolution. 1920x1080 is safe for desktop.
- Timezone: match the proxy’s geographic timezone, not your local machine timezone.
- Language: en-US if the original session was US-based.
Do not use Multilogin’s “random fingerprint” option for accounts you are importing cookies into. randomization breaks the consistency Facebook expects.
If it breaks: if you are unsure of the original UA string, check the Facebook account’s “Where you’re logged in” settings before exporting. it will show the browser and OS, which narrows down the UA family even if not the exact string.
Step 4: Convert cookies to the format Multilogin expects
Multilogin X accepts cookies in JSON format via its REST API or through the profile’s cookie import UI. the JSON export from Cookie-Editor is usually compatible directly, but occasionally you will need to normalize field names.
Multilogin expects this structure per cookie object:
{
"name": "c_user",
"value": "100XXXXXXXXX",
"domain": ".facebook.com",
"path": "/",
"secure": true,
"httpOnly": false,
"sameSite": "None",
"expirationDate": 1780000000
}
Cookie-Editor exports expirationDate as a Unix timestamp, which matches. the common mismatch is sameSite casing. Multilogin expects "None", "Lax", or "Strict" with capital first letter. if your export has lowercase, run a quick normalization:
import json
with open("fb_cookies.json", "r") as f:
cookies = json.load(f)
for c in cookies:
if "sameSite" in c and c["sameSite"]:
c["sameSite"] = c["sameSite"].capitalize()
with open("fb_cookies_fixed.json", "w") as f:
json.dump(cookies, f, indent=2)
If it breaks: if the import silently accepts cookies but Facebook still shows a login page, the domain field is likely wrong. Facebook cookies must have domain .facebook.com (with the leading dot), not facebook.com or www.facebook.com.
Step 5: Import cookies into the Multilogin profile
In Multilogin X, open the profile settings, navigate to the “Cookies” tab, and paste or import your JSON file. save the profile without launching it yet.
Alternatively, use the Multilogin REST API to inject cookies programmatically, which is faster at scale:
curl -X POST "https://api.multilogin.com/profile/{profile_id}/cookies" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d @fb_cookies_fixed.json
If it breaks: 401 errors from the API mean your token is expired. regenerate it from the Multilogin dashboard under Account > API tokens. tokens expire every 24 hours by default.
Step 6: Launch the profile and verify session state
Launch the profile. navigate directly to facebook.com without going through a login URL. if the cookies are valid and the fingerprint matches, you should land directly on the home feed, logged in as the account.
Check three things immediately:
1. The profile photo in the top-right corner matches the account.
2. facebook.com/me redirects to the account’s profile page.
3. There is no security checkpoint banner at the top of the page.
Do not immediately navigate to Business Manager or Ads Manager. sit on the feed for 30-60 seconds first. let Facebook’s client-side scripts run and establish session signals before you touch any sensitive sections.
If it breaks: if you hit a “We noticed an unusual login” prompt, do not dismiss it from the Multilogin profile. switch to the original browser and IP, confirm the login from there, then reload the Multilogin session.
Step 7: Warm the session before operational use
A freshly imported cookie session is not the same as a session that has been used for weeks. Facebook’s risk systems weight session age and behavioral consistency. for new imports, spend 5-10 minutes on organic activity before using the account for ads or page management. scroll, click on posts, visit pages you manage.
For ad accounts specifically, do not create or edit campaigns in the first session after import. use that session for verification only, then resume normal work in the next session 24 hours later.
If it breaks: if the account lands in a photo ID checkpoint despite a clean import, the cookie set was likely already flagged before you exported it. there is no way to cookie-import past a live ID checkpoint. that account needs manual resolution.
Common pitfalls
Exporting from a checkpoint-adjacent session. if the account was briefly challenged (even if you passed the challenge), its cookies may carry a risk flag. always verify the account is clean for at least 48 hours before exporting for import.
Proxy mismatch between export and import environment. this is the number one cause of review triggers. if the cookies were generated on a US AT&T residential IP and you import them into a profile using a German datacenter proxy, Facebook’s IP intelligence sees a cross-continent session jump and flags it immediately. use geographically and ISP-consistent proxies. sites like multiaccountops.com/blog/ have good coverage of which proxy types hold up best for Facebook specifically.
Using Multilogin’s auto-fingerprint on imported profiles. Multilogin is good at generating realistic fingerprints, but an auto-generated fingerprint will not match the original session’s fingerprint. for cookie imports, always manually set the UA, timezone, and screen resolution to match the source.
Importing expired cookies. Facebook’s xs session token typically expires after 90 days of inactivity or immediately on logout. always check the expirationDate field on your key cookies before importing. if xs has already expired, the import will not hold and you will get a login page regardless of fingerprint quality.
Skipping the warmup period. jumping straight from cookie import to campaign creation looks like an account takeover pattern. Facebook’s systems flag rapid transitions from session start to high-value actions. build in a buffer.
Scaling this
At 10 profiles, manual cookie export with Cookie-Editor and manual import via the Multilogin UI is manageable. each import takes about 3 minutes once you have the workflow down.
At 100 profiles, manual import is not viable. you need the Multilogin API plus a cookie extraction pipeline. most operators at this scale use a headless browser or a dedicated extraction machine running the source sessions, exporting cookies on a schedule, and pushing them to Multilogin via API. python with [playwright](https://playwright.dev/) or [selenium](https://www.selenium.dev/) handles extraction; the Multilogin API handles import. the normalization script above becomes part of an automated pipeline.
At 1000 profiles, you are into infrastructure territory. cookie freshness management becomes the main operational problem: tracking expiry dates, scheduling re-extractions before cookies go stale, handling mid-cycle account reviews. operators at this scale typically build a small internal dashboard to track cookie health per profile. the airdropfarming.org/blog/ covers session management patterns that transfer well to Facebook account operations at this volume. you will also want proxy rotation logic that keeps each profile on a consistent IP subnet, not a fully random rotation, which would create the same geographic inconsistency problem described above.
Facebook’s Login Security documentation is worth reading if you are building automation at scale. it gives you the adversary’s perspective on what signals their systems weight, which helps you build cleaner session patterns.
Where to go next
- Choosing the right proxy type for Facebook ad accounts: covers residential vs. mobile vs. ISP proxies and which hold up best for long-running Facebook sessions.
- Multilogin X profile configuration for media buyers: deeper dive into fingerprint settings, storage isolation, and profile organization for teams running multiple ad accounts.
- Recovering Facebook ad accounts after a checkpoint: what to do when an account goes into review and how to triage which ones are worth recovering vs. retiring.
For more on multi-account browser setups beyond Facebook, the /blog/ index covers Multilogin, AdsPower, and GoLogin comparisons in detail.
Written by Xavier Fok
disclosure: this article may contain affiliate links. if you buy through them we may earn a commission at no extra cost to you. verdicts are independent of payouts. last reviewed by Xavier Fok on 2026-05-22.