I'm serving a list of events to my clients’ website. They include it via php/curl (rather than iFrame), so they can fully customize the CSS.
However, this means that I can’t use the Facebook API to find out wether a visitor of my client’s page is logged in to FB: The FB-API call needs to be signed by an application and shall only be called from the domain the application is associated with. (That would be my server’s domain, but the requests are coming from my client’s page.)
Back in the old days, accessing a user profile on FB would issue a 404 error, if not logged in.
<script type="text/javascript" src="https://www.facebook.com/pianojoe" onload="enable_social_links()" onerror="not_logged_in_to_facebook()" async="async"></script>
That was convenient, but FB took care :-/ of it.
I want to show FB-links for the events in my calendar only if the page visitor is logged in to Facebook.
My question: How do I find out if a page visitor is logged in to Facebook if I can’t determine the domain of the referring page beforehand, and therefore not use the Facebook API?
The Facebook PHP SDK has a (relatively new) method called getLoginStatusUrl.
It creates a simple URL that you redirect the user’s browser to, which takes them to Facebook, where his login status is checked, and then redirects them back to one of three different URLs of your app, that you can specify.
ok_session is the one that you would be mainly interested in here: “URL to return if the user is logged in to Facebook.”
(The other two are no_user for when the user is logged out of Facebook, and no_session for when Facebook themselves can’t figure out the user’s status, because there’s no user-specific FB cookies whatsoever set in their browser.)
So you could set ok_session to an URL of your application with an additional GET parameter like ?logged_into_fb=true (the other two options, if not specified explicitly, will then only redirect back to your app’s base URL) – and that way, when the user is redirected back to your app with that parameter, you know they are currently logged into Facebook.
Whether or not you are actually using the FB PHP SDK does not really matter – by looking at the source code of the method it’s relatively easy to figure out how the actual URL is build, so you could easily adapt that and use it without the SDK as well.
Related
I have .net web site which designed for working as standalone application. Due to one issue I was made to perform login flow to Facebook manually instead of calling FB.login(from FB javascript sdk). And because of this I am not able to call FB.logout (because in this case another issue appears).
Facebook support advised me this:
"In this case, you should manually clear the user's logged in session, by clearing any stored cookies, or removing any access tokens or user information stored on our end. You can refer to this page for more information on building login/logout flows manually: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/#logout"
I didn't get this answer. How to realize manually logout workflow?
And I didn't find any examples.
You can check what the PHP SDK’s getLogoutUrl method does here, https://github.com/facebook/php-graph-sdk/blob/5d0c4865e80e231d48a4571841bd018828fe58e1/src/Facebook/Helpers/FacebookRedirectLoginHelper.php#L156
Basically it just calls https://www.facebook.com/logout.php with two parameters:
next is the redirect URI the user should be redirected back to after logout; it needs to be within your app domain
access_token is the valid user access token for the current user of your app
We have a Proof of Concept requirement that from a static URL posted in an advertisement on Facebook, we identify the unique individual that clicked our link and has landed on our page (external to Facebook).
This static advertisement will have no coding associated with it (that is part of our challenge - and will just redirect the user to our site).
Is there anything within the stream of data that is sent in a normal redirect or available to us in anyway that would allow for the following:
Identify the user that clicked
Allow for a callback to Facebook to
get any unique user information
Not sure it matters -- but we are looking at a .NET C# site as the landing page...
You can´t identify the Facebook user in any way without authorization. So when he visits the link, you need to implement authorization and you can check if it´s the same user with FB.getLoginStatus, for example. That function of the JavaScript SDK refreshes the Access Token so you don´t need to redirect to another page when it´s not valid anymore.
Here´s a tutorial, just in case: http://www.devils-heaven.com/facebook-javascript-sdk-login/
But remember: Nothing without authorization.
My scenario is somewhat like this: A user logs into my website with his FB credentials. I capture his ID and the FB access token (say, a long-lived access token). He exits my website, and returns back later. However, this time, his browser has FB open with a different ID. Would I be able to load facebook details of this old id (with which he had registered on my site) using the stored access tokens? Is it possible, or would it result in a clash between the old and the existing FB id?
Correct me if I'm wrong, but he/she should stay logged into your website, regaurdless if his authID changes.
First of all, why would you want to do that? Since Facebook does not allow multiple user accounts for one and the same person, the only case where this would normally come into play is when another user is using my computer/browser – and why would I want you to read my info while that other person is using my device …?
Second of all, as long as the first user is still considered logged in to your site, it makes not much difference. But lets say some client-side method is called that updates the cookie information, then that’s where trouble might start. You might still be able to read the old user’s info, since you have his valid access token – but you’d have to use that token in your requests explicitly, and also address the account specifically, since the Graph API’s /me would point to the new user.
But as I said, I can hardly imagine a real, practical use case here …
I have a Node.js web application that uses Facebook OAuth 2.0 to register/login/logout users using everyauth.
I enabled the deprecation of offline access on my Facebook application so now I receive tokens that expire after ~two months, or when the user changes her password, or when she removes the application, BUT not when she logs out of Facebook
My application is embedded in an iframe into multiple websites and is used to push updates to the user's Facebook timeline.
Say I have my application installed on site A and site B. If the user X logs in my application on A, he is logged into my application on B as well because the iframe preserves the session.
Problem
If the user X logs out of Facebook, anyone else using the same computer on sites that have my application installed is going to push updates on behalf of X.
Is there a way to determine if X is still logged into Facebook before pushing an update?
In other words, I need something similar to Facebook's JavaScript SDK FB.getLoginStatus but on the server side in Node.js. The best thing would be a Graph API call, but I can't find an appropriate URL for it.
IMPERFECT SOLUTION:
In the end, I went with #NitzanTomer's solution described in the comments. I used the JavaScript SDK and its FB.getLoginStatus method to check if the current user of my application is still logged in on Facebook. This is far from ideal: it works in my case because I'm running JavaScript code in an iframe, thus being relatively protected from attacks by the same-origin policy.
You can you use FB.getLoginStatus to check whether the user is connected to Facebook or not:
https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
getLoginStaus function is not there in facebook-node-sdk by amachang but what you can use is the getLoginStatusUrl function: facebook-node-sdk
The user is logged in if returned value is the url you assign to ok_session property. You cannot be sure of the permissions granted to your app though
I have a website based game that has login accounts that I want to integrate into facebook (not facebook connect, I want to use an iframe canvas page).
My question is how can I authenticate a user and how can I check if a user is coming from facebook or directly from the site.
I have been playing around with require_login() using the PHP library. My main fear is how can I authenticate that the GET parameters from facebook are indeed from facebook? If I can do that then I can store their facebook session id and Uid in a session as login credentials.
My other worry is that the GET variable may get passed as a reffer to an external link.
Finally... I find in some browsers that with require_login() that it breaks out of the iframe and gets into an eternal look continually adding additional authtoken's to the URL.
Hope someone can help
Yes you can create a app that works independently as well as facebook app. For the facebook you will have to use the facebook's iframe method to work under facebook.
You can verify the request comes from Facebook by verifying the signature in the same way that Facebook checks that API requests come from your application. With the PHP client library you can use the validate_fb_params() method of the Facebook class to do this automatically.
Bear in mind that session key's are temporary so the user will keep needing to authenticate with Facebook through your application otherwise the key expires within the hour. You may also run into a 3rd party cookie issue with Safari if you're hoping to store the session key in a cookie, and you'll need a compact privacy for quite a few other browser/privacy setting combinations as well. Something like:
<?php
header('P3P: CP="CAO PSA OUR"');
?>
in an include would do it.
And yes: the session key may be passed to external sites as in the referrer properties. It's just one of the security flaws that the platform currently has. The only way around that is either to redirect all external clicks through a handler which removes the referrer, or redirect on page load to strip the fb_sig_ss parameter out.