facebook session trouble

Question

I have a facebook iframe facebook app. At the top of each page I run the authentication script from the php example included. For some reason however if I login to one facebook account, access my application, log out of facebook and into a new account when I visit the application I am still authenticated as the first user.

How come the session still exists? Why does the Facebook library not realise it is invalid?

please help.

Here is my authentication script that I include at the top of each page. It is almost identical to the example. The only change is that I have added a line to pass a GET parameter through the login url.

 $uid = null; //facebook user id

  require_once "facebook.php";

    // Create our Application instance.
    $facebook = new Facebook(array(
      'appId'  => $conf['fb']['appid'],
      'secret' => $conf['fb']['secret'],
      'cookie' => true,
    ));



    if (is_numeric($_GET['user_id'])) {$user['id'] = $_GET['user_id']; $loginUrlParam = '?user_id='.$_GET['user_id'];}

    //Facebook Authentication part
    $session = $facebook->getSession();
    $loginUrl = $facebook->getLoginUrl(
            array(
            'canvas'    => 1,
            'fbconnect' => 0,
            'req_perms' => 'publish_stream',
            'next' => $conf['dir']['app_url'].$loginUrlParam
            )
    );

    $fbme = null;

    if ($session) {
        try {
            $uid      =   $facebook->getUser();
            $fbme     =   $facebook->api('/me');

        } catch (FacebookApiException $e) {
            echo "<script type='text/javascript'>top.location.href = '$loginUrl';</script>";
            exit;
        }
    }


    print_r($fbme);

Update:

Just found something very weird. I am able to be logged into facebook in two browsers. I know in the past if I logged into one from one from one browser it would log me out of the other. Is there a problem with facebook atm?

Answer 1

Your problem is actually a combination of issues

First of all, you have cookie support enabled on your instance of the Facebook class. This triggers Facebook::getSession() to look for a session in the cookie if a session is not provided in $_REQUEST.

And, by the look of this code, since you're obtaining the session prior to knowing who the user is, the old session that's still in the cookie is picked up.

Remember, logging out of Facebook is going to do nothing to delete/remove session cookies on your domain.

You have several ways around this. If you're going to keep cookie support enabled, then you'll need to make sure you properly reset that cookie when an un-identified user visits the application. This is something you would have to do on a fresh load of the canvas page - not something that's included to every page of your app.

$facebook = new Facebook(array(
  'appId'  => $conf['fb']['appid'],
  'secret' => $conf['fb']['secret'],
  'cookie' => true,
));

// Calling this w/no parameters will clear the session
$facebook->setSession();

You can also just turn cookie support off but then you'll need to manually maintain the session ID and facebook session data as well.