开发者

How do I detect if a Facebook connect session hasn't expired from PHP/the server?

For my application I need to know if a Facebook Connect session is valid from the server side.

The Javascript API lets you know if you are connected to Facebook or not, but it seems that this can't be done from the PHP client library.

The scenario where I need it is similar to the following:

  1. Log in to The Run Around using Facebook connect.
  2. Open Facebook in another tab.
  3. Log out from the开发者_JS百科 Facebook tab (not The Run Around).
  4. Go back to the Run Around tab.
  5. Enter a new entry, but deactivate the "Publish this run to Facebook" checkbox.

After submitting the form your run will get published though you logged out before! After that call, the site will log you out because the Javascript API will try to validate your status.

In the 5th step, the application should check with Facebook if the session has expired or not (or use a workaround). The Connect implementation of The Run Around is flawed and shouldn't be used as an example because of this security issue.


While I understand your analysis of the situation, this is actually the correct behaviour.

The Run Around is a Facebook Connect site, which means that it is completely separate from Facebook, as it should be. When you use FB Connect to link your FB account to the Run Around site, it establishes a local session and account for you in the Run Around database. This is technically what you are logged in to The Run Around with. Once this happens, your Facebook session is entirely irrelevant unless The Run Around wants to retrieve information about you from Facebook.

There are options to provide a FB Connect site with closer linkage to Facebook if you want to. See Detecting Connect Status and the FB.init() parameters for more on this. The Run Around has utilized this to force a logout of the local session once it detects that you are no longer logged in to Facebook. However, this only occurs once a page change or action happens and the Javascript runs to verify your FB session status.

The overall effect of how this all works is that Facebook Connect sites retain the ability to manage users locally, and only utilize Facebook features when needed and/or possible.


A friend told me the way to know if a session is valid or not:

http://wiki.developers.facebook.com/index.php/Users.getLoggedInUser

This method uses the session key as a parameter and returns the user id. If the session has expired, an error code is returned.

NOTE:

I won't use this in my application, as Zombat said, my app should keep its own session. I'll do what Digg does: be consistent with the log in and log out procedure by not automatically logging in and out when someone logs on Facebook.

The Run Around tries to do everything automatically, but that is problematic, specially because the app doesn't check the session from the server side.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜