tags:

views:

1218

answers:

2
+1  Q: 

How do I detect if a Facebook connect session hasn't expired from PHP/the server?

For my application I need to know if a Facebook Connect session is valid from the server side.

The Javascript API lets you know if you are connected to Facebook or not, but it seems that this can't be done from the PHP client library.

The scenario where I need it is similar to the following:

  1. Log in to The Run Around using Facebook connect.
  2. Open Facebook in another tab.
  3. Log out from the Facebook tab (not The Run Around).
  4. Go back to the Run Around tab.
  5. Enter a new entry, but deactivate the "Publish this run to Facebook" checkbox.

After submitting the form your run will get published though you logged out before! After that call, the site will log you out because the Javascript API will try to validate your status.

In the 5th step, the application should check with Facebook if the session has expired or not (or use a workaround). The Connect implementation of The Run Around is flawed and shouldn't be used as an example because of this security issue.

+1  A: 

While I understand your analysis of the situation, this is actually the correct behaviour.

The Run Around is a Facebook Connect site, which means that it is completely separate from Facebook, as it should be. When you use FB Connect to link your FB account to the Run Around site, it establishes a local session and account for you in the Run Around database. This is technically what you are logged in to The Run Around with. Once this happens, your Facebook session is entirely irrelevant unless The Run Around wants to retrieve information about you from Facebook.

There are options to provide a FB Connect site with closer linkage to Facebook if you want to. See Detecting Connect Status and the FB.init() parameters for more on this. The Run Around has utilized this to force a logout of the local session once it detects that you are no longer logged in to Facebook. However, this only occurs once a page change or action happens and the Javascript runs to verify your FB session status.

The overall effect of how this all works is that Facebook Connect sites retain the ability to manage users locally, and only utilize Facebook features when needed and/or possible.

zombat  2010-01-15 20:32:23
Zombat,I understand what you are saying about FB Connect and The Run Around site, but what is the reason why The Run Around logs you out when fb.init() detects you are not logged in?About me wanting to log out the user, "Why Does Facebook Do Single Sign Out?" says that SSO is implemented to avoid a user having to log out from Facebook separately from security issues. This, IMO, should be valid the other way around.http://wiki.developers.facebook.com/index.php/Connect/Authorization_Websites#Logging_Out_Users
andrerobot  2010-01-15 21:10:48
Also, http://developers.facebook.com/docs/?u=facebook.jslib.FB.Connect.logoutAndRedirect says that the method FB.Connect.logoutAndRedirect logs you out and closes sessions from other apps.Eg: I log in FB, I enter site X and The Run Around. In site X I logout using the function, so the session is closed in FB, X, but not in The Run Around.
andrerobot  2010-01-15 21:14:24
Also, what The Run Around is doing is inconsistent with what Digg is doing. When you log in or out from the Facebook site, Digg doesn't open or close your session in that site. You must press "Connect" to open your Digg session and Logout to close your session.
andrerobot  2010-01-15 21:30:04
The reason why The Run Around logs you out when fb.init() detects you are not logged in is because they have designed The Run Around to be used only when you are logged in with Facebook. Most Facebook Connect sites are not designed this way, as you would be limiting your traffic to only Facebook users.
zombat  2010-01-15 23:59:53
A: 

A friend told me the way to know if a session is valid or not:

http://wiki.developers.facebook.com/index.php/Users.getLoggedInUser

This method uses the session key as a parameter and returns the user id. If the session has expired, an error code is returned.

NOTE:

I won't use this in my application, as Zombat said, my app should keep its own session. I'll do what Digg does: be consistent with the log in and log out procedure by not automatically logging in and out when someone logs on Facebook.

The Run Around tries to do everything automatically, but that is problematic, specially because the app doesn't check the session from the server side.

andrerobot  2010-01-18 14:42:33

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases