Now I can remember more, that whenever we get back a Facebook session or access_token, it should have a life time, and before we get back a user id, the library is supposed to have verified the user id is real by doing MD5, etc.
How do session and access_token work currently? Is there infinite session any more? Do they normally expire within less than 2 hours? Is it true that if the user keep on using the app or our website (connected to Facebook), then the session or access_token can be renewed -- expiration time will be further extended.
Is there any use to store the session or access_token in our DB's users table? I think if there is no infinite session, then we probably don't have to, unless if we know our batch processing will do something within an hour (to do some lengthy Facebook API calls, for example).
What if we request email sending permission, and the user grants it, then won't we need to have a session or access_token to send the email when a few days later when we have a Newsletter to send out?