In old API the init function required path to xdreceiver and now i see it disapeared from docs.

I thought the xdreceiver is for seting cookies in your domain from facebook, but how it's working now?

Assuming your talking about an external or iframe Facebook application then Facebook uses the OAuth2.0 system and stores a cookie on your server of the form fbs_APPID where APPID is obviously the application id of your connect/canvas application.

Inside this cookie there is an access_token which is used to by both the old rest API and the new graph API to make requests on behalf of the user. This means the xdreceiver file is no longer required.

See the Facebook Developers article on authentication in OAuth2.0 here Canvas applications can also take advantage of a new experimental signed request in order to receive the access_token.

That file is not required anymore. My understanding is that they store cookies on their side in database somewhere and then emulate cookie headers when sending HTTP requests to your app, so to your application it seems like regular cookies from a browser.

You can read briefly about cookies here, couldn't find anything better.

EDIT Seeing BeRecursive's answer, I want to clarify that I was talking about cookies that you manually set from your canvas app. Maybe it's not what you asked about.