I have .net web site which designed for working as standalone application. Due to one issue I was made to perform login flow to Facebook manually instead of calling FB.login(from FB javascript sdk). And because of this I am not able to call FB.logout (because in this case another issue appears).
Facebook support advised me this:
"In this case, you should manually clear the user's logged in session, by clearing any stored cookies, or removing any access tokens or user information stored on our end. You can refer to this page for more information on building login/logout flows manually: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/#logout"
I didn't get this answer. How to realize manually logout workflow?
And I didn't find any examples.
You can check what the PHP SDK’s getLogoutUrl method does here, https://github.com/facebook/php-graph-sdk/blob/5d0c4865e80e231d48a4571841bd018828fe58e1/src/Facebook/Helpers/FacebookRedirectLoginHelper.php#L156
Basically it just calls https://www.facebook.com/logout.php with two parameters:
next is the redirect URI the user should be redirected back to after logout; it needs to be within your app domain
access_token is the valid user access token for the current user of your app
Related
The Facebook Platform Policies section 1.6 clearly states
Your website must offer an explicit "Log Out" option that also logs the user out of Facebook.
The Login Flow for Web without Javascript SDK says on Logging people out
You can log people out of your app by undoing whatever login status indicator you added, for example deleting the session that indicates a person is logged in. You should also remove the stored access token.
On the other hand the Login Flow for Web says about Logging people out
Note: This function call will also log the person out of Facebook. The reason for this is that someone may have logged into your app and into Facebook during the login flow. If this is the case, they might not expect to still be logged into Facebook when they log out of your app. To avoid confusing people and to protect personal security, we enforce this logout behavior.
So in my understanding the Login Flow with JS SDK does what the policy says, it logs the user out of Facebook as well. How do I implement the Login Flow without JS JSDK correctly, such that i do not violate the Facebook Platform Policy? So far i don't see that the Graph API offers a similar functionality.
That should be easy, looking at the PHP SDK’s method getLogoutUrl, that creates an URL of the following scheme:
https://www.facebook.com/logout.php?next=FOO&access_token=USER_ACCESS_TOKEN
For FOO you just place the URL of your website where you want the user to be redirected to after they are successfully logged out of Facebook (don’t forget to properly URL-encode that value), and USER_ACCESS_TOKEN should be self-explanatory. (You need an active user access token to log the user out of Facebook – obviously, because otherwise every site on the web could just redirect me to this address and log me out of Facebook, without me actually wanting that to happen.)
I have an application which asks for a registration through facebook but before a user can proceed to the registration, the system should first determine if there is an active session. If a user is logged in to facebook, it should then automatically logout for a fresh start.
But here is where I'm stuck. The SDKs only let the user log out from facebook if he is connected to your app. It uses the app's access token. But what if he is still not registered to your app? Their log out means to log out from your app, and not really from facebook.
My requirement :
1. How can i log out from facebook.
2. How can i clear the browser cookies?
Not on a specific app but the whole facebook session.
[from comments] But to use the getLogoutUrl() function, the user has to be connected to your app. What I need is to logout from the whole facebook and not just from the app
If the user is connected to your app, then the URL provided by the getLogoutUrl method does that – log the user out of your app (web-app) and out of facebook.com.
If the user is not connected to your app however, you don’t have an active user access token – and then logging out of Facebook is not possible. The obvious reason being that if it was, every website that I visit could log me out of Facebook in a “drive-by” manner – without me actively wanting that, so people would get annoyed quite quickly.
If a user is logged in to facebook, it should then automatically logout for a fresh start.
If this is a security consideration, then you are in fact looking for re-authentication, which can be done using the auth_type parameter, quote from docs:
In apps where security is very important, you may want to double-check someone's identity - perhaps before they make a purchase within the app, or use it to access some sensitive personal data.
To prevent situations where a user could leave a device logged in or man-in-the-middle hijacking of the user session, re-authentication forces a person to re-enter their Facebook password before they can continue to use your app.
Be aware to use the server-side Auth flow though – because in the client-side flow, using the JS SDK, there is a bug that allows the user to bypass re-entering his password by simply closing the popup, which is still open: https://developers.facebook.com/bugs/248632218597467 (Has been assigned Priority: High, but received still nothing more than a “we will follow up” response yet.)
Use the logout.php url.
https://developers.facebook.com/docs/reference/php/facebook-getLogoutUrl/
Basically,
http://facebook.com/logout.php?next=YOUR_NEXT_URL_FOR_LOGOUT&access_token=USER_TOKEN
1) logging out from facebook by using
facebook=>getLogoutUrl();
2) clearing the session by using :
$facebook->destroySession();
example:
Log Out
logout.php page codes as follow:
<?php
require 'facebook.php';
$facebook->destroySession();
header( "location:index.php" );
?>
I am using the PHP SDK on my website. I have developed a registration form and login form.
The facebook login link is generated, the user clicks and authorises the app. They are redirected to my site and have an access token.
I can use API call such as $this->facebook->api('/me/');
I put the call within a try statement and catch any exceptions.
It works perfectly.
The problem is that randomly my access token will expire, as such the api all cannot complete and the exception is caught. I don't know why this is, but what i want to do is seamlessly refresh the access token.. i.e get a new one and continue the users session on the site seamlessly.
What i thus do is save their location in a session, redirect the user to the facebook login page in the catch statement, and then on successfully re-logging in the user redirecting back to where they were.
This works, but there is a problem.
Having this:
try
{
$me = $CI->facebook->api('/me');
}
catch(FacebookApiException $e)
{
//redirect to fb login lin
}
on every page essentially doubles the page load time of every page on the site - the Facebook PHP SDK is inherently slow.
Instead of 1 second page loads, they are taking 2-3 seconds. I have benchmarked it, and it is because of this try/catch..
What can i do? HOw can i maintain/refresh an access key for an authorised user without huge load time costs to my users?
EDIT : The solution that I am suggesting uses direct OAuth 2.0 calls for Authentication using PHP and later PHP SDK for rest of the Facebook API calls.
Initially acquire an access_token by following the steps from Facebook Developer Documentation.
At Step 6, you will have an access_token with a longer validity of 90 days.
Now, once you have acquired an extended access_token, you can make the PHP SDK use the same by calling Facebook::setAccessToken
Store the Facebook object in $_SESSION for making api calls from other pages.
Furthermore, you can go ahead and save this extended access_token persistently(in a Database). This will eliminate the Facebook communication for logging in process altogether. However make sure that you have taken necessary security precautions for safe-guarding the access_token(for obvious reasons) and your privacy policy states the same.
We are integrating an application as a facebook app at work. I want to be able to detect whether the user has logged in to facebook, and if not, to prompt for authentication.
So far we have successfully used the facebook SDK and the login functionality it provided. However, this causes an authentication popup window to be created by our application, and it is being blocked by most of the browsers, so our priority task is to re-implement the authentication logic not to use popups.
According to the this tutorial from the facebook documentation it could be done either by using event subscription for user status change requests (which did not work when the user is logged out) or by obtaining access token. The problem is that the token is returned as request parameter to the top window (the url I specify as a return url after the user authenticates). Since some cross-domain and browser restrictions exist, I am unable to use client scripting to obtain the value, and I am stuck.
Related questions here have been asked and the common issue is that most apps are being ran on localhost. However, the case with our app is that we have deployed our app to local webserver, that is exposed by a public domain, but still has the cross-domain restriction issues. It is being referenced by its public domain name within the facebook app configuration. I am completely confident in that the domains are fully accessible from outside.
In general, our case is that we would like to host the app while it is being used by facebook users. Perhaps this approach might be incompatible with our requirement? Is it possible to configure cross-domain communication to avoid the issue? Are any other ways to do avoid facebook login popups?
First of all, default settings for popup blockers in modern browsers are so that they only block popups that are called without user interaction. If you call FB.login automatically on page load, it is likely to get blocked. But if you offer a link/button to the user saying “log in here” and only call FB.login on click on that link/button, then the popup is rather likely to be shown and not blocked.
If you are not willing to do it that way – then your other option is to use the server-side auth flow. You can just redirect the user to the auth dialog, which will happen in the same window, and he will be directed back to your app afterwards.
I have a website based game that has login accounts that I want to integrate into facebook (not facebook connect, I want to use an iframe canvas page).
My question is how can I authenticate a user and how can I check if a user is coming from facebook or directly from the site.
I have been playing around with require_login() using the PHP library. My main fear is how can I authenticate that the GET parameters from facebook are indeed from facebook? If I can do that then I can store their facebook session id and Uid in a session as login credentials.
My other worry is that the GET variable may get passed as a reffer to an external link.
Finally... I find in some browsers that with require_login() that it breaks out of the iframe and gets into an eternal look continually adding additional authtoken's to the URL.
Hope someone can help
Yes you can create a app that works independently as well as facebook app. For the facebook you will have to use the facebook's iframe method to work under facebook.
You can verify the request comes from Facebook by verifying the signature in the same way that Facebook checks that API requests come from your application. With the PHP client library you can use the validate_fb_params() method of the Facebook class to do this automatically.
Bear in mind that session key's are temporary so the user will keep needing to authenticate with Facebook through your application otherwise the key expires within the hour. You may also run into a 3rd party cookie issue with Safari if you're hoping to store the session key in a cookie, and you'll need a compact privacy for quite a few other browser/privacy setting combinations as well. Something like:
<?php
header('P3P: CP="CAO PSA OUR"');
?>
in an include would do it.
And yes: the session key may be passed to external sites as in the referrer properties. It's just one of the security flaws that the platform currently has. The only way around that is either to redirect all external clicks through a handler which removes the referrer, or redirect on page load to strip the fb_sig_ss parameter out.