What are the differences between Login mechanism with Facebook Graph API and REST API?

Question

If a website uses Facebook Connect, it seems like the new Facebook Graph API way of logging in is that it will give an fbs___appID___ as a cookie, with access_token inside, and there are also the expires, session_key, and sig. Why is a session_key and sig needed? Isn't the access_token by itself enough? Is the session_key suppose to live longer than the access_token?

How does that compare to the old Facebook REST method, which has the auth_token and the 2378942398472398473_session_key and 2378942398472398473_ss?

Answer 1

What you are asking about has nothing to do with the Graph API or Rest API. This is purely about the authentication system. The new authentication will provide you with the access token and the other properties you listed. The only value you need to worry about is the access token. This is used for all Facebook API calls now. The other values such as sig and session_key are only used by the facebook frameworks to validate that the data is authentic. i.e. From facebook, not a spoofed cookie.

The old authentication system, with the old cookie names, has been phased out and no longer will work. There are a number of differences with the old system and the new system, but that really doesnt matter. The point is, use the new OAuth authentication to get an access token and use the access token for all your api calls.

You can read more about the new Facebook authentication here: http://developers.facebook.com/docs/authentication/