tags:

views:

31

answers:

1
Q: 

How's the current state of Facebook's session and access_token?

Now I can remember more, that whenever we get back a Facebook session or access_token, it should have a life time, and before we get back a user id, the library is supposed to have verified the user id is real by doing MD5, etc.

How do session and access_token work currently? Is there infinite session any more? Do they normally expire within less than 2 hours? Is it true that if the user keep on using the app or our website (connected to Facebook), then the session or access_token can be renewed -- expiration time will be further extended.

Is there any use to store the session or access_token in our DB's users table? I think if there is no infinite session, then we probably don't have to, unless if we know our batch processing will do something within an hour (to do some lengthy Facebook API calls, for example).

What if we request email sending permission, and the user grants it, then won't we need to have a session or access_token to send the email when a few days later when we have a Newsletter to send out?

+1  A: 

So let me address your questions one at a time.

  1. A normal facebook session (access_token) is only valid for a few hours.
  2. You can get an infinite session by requesting the "offline_access" extended permission from the user when they authenticate your app.
  3. To "renew" the session, you just send the user back to the authentication page on facebook. This happens instantly because they already authenticated your app so they user will be redirected back to your site and continue, without noticing the auth.
  4. There isnt any reason to store an access token unless you have offline_access. If you have offline access then you can store it, otherwise you might as well just read it from their cookie or session every time they make a new request.
  5. The email extended permission is not "permission to send them email", but rather permission to read their email address. If you are granted this permission, then you can get the user's email address from the Graph API and then save this email address. After you have the email address, you can send them emails like any normal email system. You don't need the access token for that.
Nathan Totten  2010-10-24 16:51:27

related questions

Does the Facebook REST API allow you to get a friend's phone number?
Hosting a Facebook Application?
My Facebook application's Javascript doesn't work in Google Chrome
Successful sites using Asp.NET and the Facebook API
How do you remove the "box head" in a Facebook application?
Render Self-Closing Tag in ASP.NET custom control derived from Control
What does the new Facebook Connect platform offer over a traditional Facebook App?
I need help creating a modding system in a Facebook Application
New Facebook app - FBML or iFrame?
how much does facebook denormalize their databases to break things up by network and therefore shrink the tables and speed the system?
using a named function as the callback for $.getJSON in jQuery to satisfy Facebook request signing demands
Which Facebook .NET Library is the best to use?
In Facebook app, is there a way to link directly to "join a group"
Facebook Development vs. XNA, Which is Worth Learning?
What's a Good Resource for Learning Facebook Application/Game Development?
Example Facebook Application using TurboGears -- pyFacebook
How to authenticate in a Facebook Flash application?
Facebook RSS application
Using Merb for Facebook Application
How to start facebook app?
Is anyone developing facebook apps on Grails
How do I import facebook friends from another website
Facebook java integration
Developing and Testing a Facebook application
Anyone have a link to a technical discussion of anything akin to the Facebook news feed system?