Multiple OAuth Exceptions C# + Cookies + Non-Canvas

Okay, so this is a bit similar to someone else's unanswered question on the codeplex site, but perhaps it'll have more 开发者_JAVA技巧luck here. The first is very much repeatable on even the sample site (CSMvcWebsite):

[FacebookOAuthException: (OAuthException) Error validating access token.]

FacebookApp.Session is NOT null but a call to FacebookApp.Get() throws this booger.

Occurs whenever you're on a page that has called FB JS api's (thus creating an FB session cookie) and then you log out of facebook. If you then reload that page, the above error occurs. Easy to reproduce. Open the sample site and facebook in separate tabs. Click About in the sample. Log out of facebook. Refresh the about page (or click about again).

In the sample site, you can get this to go away pretty easily by navigating to a page that doesn't call FB api's. However, if you have a main page that is a login page (i.e., you can't do squat unless you're logged in), and the login page calls FB api's, then poof! Problem. No other page to navigate to. The only fix is to create and navigate to a bogus page (or manually delete the cookie).

Two problems here. First, how to detect that you're logged out? Perhaps catch the above exception? Is this the only reason you'd get it? Second, how to force the cookie to go away (presumably using JS)???

The second exception has only occurred a couple of times, but again it is one that I've seen unanswered on the codeplex site:

[!sessionValue.Contains(",") Session value must not contain a comma.]

WTH?? Not easy to reproduce (in fact I can't do it on demand at all), but I saw it on an unmodified version of the same sample as above. But this one was even more insidious, as the only solution was to manually delete the cookies (interestingly and perhaps notably there were TWO fbs_ cookies in this case).

Any thoughts or advice??

The problem is that there is no way for your server side code to tell if a user's session is valid or not until you make a request to Facebook. Consider that the cookie with the old user's information is still on the client and that cookie gets sent to the server. The cookie is valid in the sense that it contains authentic information. Beyond testing for forged cookie data, the server has no way of knowing that the user has removed the app and that the session is expired until an attempt has been made to make a call to the Facebook API. So the solution to the problem is to just handle FacebookOAuthExceptions. Typically this would be done by 1) retrying the api call (built into the SDK if you enable retries) and 2) catching the exception and redirecting the user to a "login" page that would require them to install the app again.

For example,

var app = new FacebookApp();
dynamic result;
try {
  result = app.Get("me");
} catch (FacebookOAuthException) {
  // Redirect here
}
string firstName = result.first_name;

As far as the code contract violation with sessions with the comma that is generally only seen is testing. It normally results from testers adding and removing the app repeatedly. Somewhere along the process, I believe with the Facebook Javascript SDK, the cookie is appended to rather than overwritten. This causes the cookie to be invalid and the Facebook C# SDK cannot parse the invalid cookie.

One thing to note is that if you are building a Facebook iframe app you should never use cookies. They are extremely unreliable in iframes with Facebook for several reasons that I wont go into here.