views:

31

answers:

1

Now I can remember more, that whenever we get back a Facebook session or access_token, it should have a life time, and before we get back a user id, the library is supposed to have verified the user id is real by doing MD5, etc.

How do session and access_token work currently? Is there infinite session any more? Do they normally expire within less than 2 hours? Is it true that if the user keep on using the app or our website (connected to Facebook), then the session or access_token can be renewed -- expiration time will be further extended.

Is there any use to store the session or access_token in our DB's users table? I think if there is no infinite session, then we probably don't have to, unless if we know our batch processing will do something within an hour (to do some lengthy Facebook API calls, for example).

What if we request email sending permission, and the user grants it, then won't we need to have a session or access_token to send the email when a few days later when we have a Newsletter to send out?

+1  A: 

So let me address your questions one at a time.

  1. A normal facebook session (access_token) is only valid for a few hours.
  2. You can get an infinite session by requesting the "offline_access" extended permission from the user when they authenticate your app.
  3. To "renew" the session, you just send the user back to the authentication page on facebook. This happens instantly because they already authenticated your app so they user will be redirected back to your site and continue, without noticing the auth.
  4. There isnt any reason to store an access token unless you have offline_access. If you have offline access then you can store it, otherwise you might as well just read it from their cookie or session every time they make a new request.
  5. The email extended permission is not "permission to send them email", but rather permission to read their email address. If you are granted this permission, then you can get the user's email address from the Graph API and then save this email address. After you have the email address, you can send them emails like any normal email system. You don't need the access token for that.
Nathan Totten

related questions