Delete facebook session cookie from my application on users logout

I am working in an application which is using facebook connect to log in the users using their facebook account.

Everything works fine except in the following case:

1. User logged out from my website and facebook.
2. U开发者_如何学Pythonser try to login again in my app.

In this case when the facebook connect popup opens in says "error in the application".

I found that the reason is that the old fbs cookie is not being removed on users logout. I have added the code to delete the cookie on logout of my app but the cookie isn't deleted.

Here is my code (using Symfony framework.)

$fbCookie = 'fbs_'.sfConfig::get('app_facebook_application_id');
          $cookie = $request->getCookie($fbCookie);
          if(!is_null($cookie)){
            setCookie($fbCookie," ", time()-3600);
          }       

This doesn't work. The cookie remains the same. The setCookie function returns "1" as expected.

What can be the problem?

I'm pretty sure I had trouble with this too... you need to make sure that you kill the Facebook session right after you delete the cookie, otherwise it will just pop back up... here's an example

  // Assuming that $facebook is your facebook object populated with your settings
  $facebook = new Facebook(array(
          'appId'  => FB_APPID,
          'secret' => FB_APPSECRET,
          'cookie' => true));

  $fb_key = 'fbs_'.sfConfig::get('app_facebook_application_id');
  set_cookie($fb_key, '', '', '', '/', '');
  $facebook->setSession(NULL);

In the current version of the Facebook SDK you need to use

$fb_key = 'fbsr_'.$facebookConfig['app_id'];
setcookie($fb_key, '', time()-3600);
$facebook->destroySession();

I tried clearing out the cookies and the session manually, and it still didn't work for some reason (see Facebook PHP: After user logs out of facebook, they can't login to my app with another user). Using the above solution was what worked in the end.

I had the same problem and neither of the solutions i came up in the web worked for me. Then suddenly another app with the same code worked fine, so i checked the advanced settings in the app and it worked when i changed: OAuth 2.0 for Canvas ENABLED, Timezone-less events ENABLED and Upgrade to Requests 2.0 ENABLED

Hope it helps

Make sure to use the following code:

$params = array( 'next' => 'https://yourUrl/logout' );
        $data['logoutUrl'] = $this->facebook->getLogoutUrl($params);

to redirect the page to a logout controller or a page and then kill the sessions on that page.

As you said ;) it's about the cookie your local script sets, not one on Facebook.com, so your question is legit.

I run into the same issue here. The PHPSDK does not give you the possibility to delete the cookie. So either you have to run the whole session without cookie:

$facebook = new Facebook(array(
    'appId'  => FB_APPID,
    'secret' => FB_APPSECRET,
    'cookie' => false,
));

or you redirect the user to the logout URL at facebook:

header('Location: ' . $facebook->getLogoutUrl(array('next'=>URL_AFTER_LOGOUT))');

The only problem seems to be that the user is logged out from Facebook too.

If you can use Javascript try this:

<script src="http://connect.facebook.net/en_US/all.js"></script>
<script>
 FB.init({appId: '<?php echo FB_APPID;?>', status: true, cookie: true, xfbml: true});
 FB.Event.subscribe('auth.logout', function(response) {
    window.location.href='YOUR_LOCAL_LOGOUTSCRIPT';
 });
</script>

I was having trouble with this too, and contrary to Efazati's answer, my trouble was with cookies set on my own domain by the Facebook php api library. The thing that I was overlooking was when deleting the cookie, using the exact domain and path that the cookie was set with. This is the line that successfully deleted the cookie for me.

setcookie("fbs_" . $app_id, '', time()-3600, "/", ".mydomain.com");

tgriesser's comment was also helpful.

<?php

// include the Facebook SDK
include_once 'src/facebook.php';

// Define crutial perams
define( 'APPID',    '' );
define( 'SECRET',   '' );
define( 'URL',      'http://fb.domain.co.uk' );

// shake my hand!
$facebook = new Facebook( array( 'appId' => APPID, 'secret' => SECRET, 'fileUpload' => true ) );

// if we are being visited by someone trying to logout, lets me sure they get logged out!
if( isset( $_GET['logged_out'] ) ) {
    setcookie( "PHPSESSID", "", (time()-3600) );
    header( "location: " . URL );
    exit();
}

// lets try to get the users id
$user_id = $facebook->getUser();
// try to get their access token
$access_token = $facebook->getAccessToken();

// if we have an id
if($user_id) {

    // from the offset, we're good to go...
    $logged_in = true;

    echo "<h1>Logged in</h1>";
    $params = array( 'next' => URL . '?logged_out' );
    $return .= '<br /><a href="' . $facebook->getLogoutUrl($params) . '">logout</a>';

}else{

    // login man!
    $login_url = $facebook->getLoginUrl( 
        array( 
            'scope' => 'read_stream, publish_stream, manage_pages, photo_upload',
            'next' => URL . '?logged_in' 
        ) 
    );
    $return .= 'Please <a href="' . $login_url . '">login.</a>';

}

echo $return

?>

I had the same problem and tried all the above, but then I suspected that the cookies names are not what I'm expecting them to be and indeed! So I just printed my cookies and check carefully which of them I want to remove:

//print the cookies just to make sure what is the exact name of the cookie
foreach ($_COOKIE as $key => $value) {
    print $key . "=" . $value . "</br>";
}

//delete
if (isset($_COOKIE['fbsr_' . $app_id])) {
    setcookie('fbsr_' . $app_id, $_COOKIE['fbsr_' . $app_id], time() - 3600, "/");
    setcookie('PHPSESSID', $_COOKIE['PHPSESSID'], time() - 3600, "/");

    unset($_COOKIE['fbsr_' . $app_id]);   
    unset($_COOKIE['PHPSESSID']);
}

This php script should run after calling to FB.logout in your js part:

function logout() {
    FB.init({appId: '[your app id]', status: true, cookie: true,xfbml: true});
    var flag = confirm("logout from your facebook account as well");
    if (flag) {
        FB.logout(function(response) { window.location='logout.php' });
    }
}

For some reason you can't delete the cookie, even though you obviously have permission to read it (because you had to read the access_token).

But anyhow: This issue just comes up on localhost. On your Server you shouldn't run into the issue! The cookie also doesn't get deleted on your server, but it is not recognized as a valid access_token, when you try to login again.