tags:

views:

466

answers:

1
+3  Q: 

Update cookies for Facebook connect based site?

I'm using the Facebook Connect API for the login system on a website built using PHP. There is no straightforward way to determine if a user is logged in.

$fb = new Facebook($api, $secret);
$fb->get_loggedin_user();

The above function always returns a user id, once a user has authenticated with the site, even if they sign out of Facebook, it still returns their user id.
I've worked on this for a while, and after looking around, I think the reason it does this is because when a user is authenticated on the site, the Facebook JavaScript API stores cookies that are used to save information about the session.
However, if the user signs out of the regular Facebook session, the cookie is still returning values ,even if the session is no longer valid.
My question is how do I update the cookies so that they don't give me values when the session is no longer valid?

+3  A: 

This can be a bit tricky. Basically Facebook stores a bunch of cookies on the user's browser that are namespaced to your application id (ie. 12345_fb_sig=etc). These cookies are used to tell your FB Connect app that the user has logged in to Facebook, and pass along the facebook session id. But if the user goes somewhere else and logs out, these cookies don't get cleared, and as far as your Connect site is concerned, the user is still logged in. If the user comes back later and you try an API call with that session key, it will fail.

You can clear these cookies from a server-side library call to the PHP FB API client, $facebook->api_client->clear_cookie_state(), however, I wouldn't recommend this method. It requires you to make some kind of API call on each page load in order to confirm that the session key is still valid, and that adds a lot of overhead.

Generally, the best way to handle this is with the FB Javascript libraries that you're already utilizing for FB Connect. You can add a parameter to the FB.init() call used to set up FB Connect that will force a page refresh if the client's session state has changed:

FB.init("<YOUR-API-KEY>", "<YOUR-CROSS-DOMAIN-CHANNEL-URL>", {"reloadIfSessionStateChanged":true});

It's a bit inelegant, as the user will see a page reload happening, but it's likely the best way to be sure. I would highly recommend you check out the Detecting Connect Status wiki page for more on these techniques.

zombat  2010-01-01 23:29:04
When you say it will reload the page, does this only happen if they log out of facebook?
jasondavis  2010-01-03 08:32:48

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases