Checking if a user is logged in to Facebook

I'm building in Facebook integration into my website with the php sdk. The website use offline_access. According to the Facebook platform rules you have to provide a log out link that logs the user out of Facebook.

What I don't want to do is displaying the log out link if the user is not logged in to Facebook since they ma开发者_JS百科y confuse it with the reauthorize button. (If they are not logged in, the link wouldn't do anything...)

Is there anyway I can check if the user is logged in on Facebook?

My thought was to use the getUser() method to see if I got the user, if not then I proceed with setting the access token I have and I would know if the user is logged in or not. However, the getUser() method checks if the protected $user variable is already set and if so return it. That makes the getUser() method unusable when I've set the access token and need to check again if the app has access.

I guess I could do it super easily by changing the $user variable to public and set it back to null in my app but I don't want to edit the sdk unless I really have to.

I think you should only be showing the "log out" button if the user is both logged in and authorized. In my experience, you normally do not know if the user is logged into Facebook if they have not authorized your app. And anyway, if they click to authorize your app they are prompted to log in at that point if they are not logged in anyway.

Using the php SDK, there are 2 ways to check the users login status:

$facebook->getUser(); // provides user id of logged in user
$facebook->getAccessToken(); // provides access token of logged in user

If you absolutely need to check to see if the user is logged in, then set the access token and check again, nothing is stopping you from creating a separate instance of a facebook object and setting the access token yourself.

However, not sure why you would want to do this, as if you have an access token that was obtained with the offline_access privilege it's always valid (until user deauthorizes or changes password), and if you don't have offline_access, you should use the one that is provided in the signed_request or code.