PHP Facebook SDK persistent logged user - facebook

I am having a situation here. You can check my installation at: http://rs.eboxtools.com
The problem is that when I logged once I can't make a true logout. Even when I logout from Facebook I can still see my user info as if I was sign in.
Why is Facebook keep showing the same info?
In my opinion if an user choose to logout the app shouldn't accept the same user and should ask Facebook to log in a user and show only the information if user is logged in. Am I missing the point?
My direct question is. How can I definitely log out from facebook in this situation. I saw many sites like PHP Classes that just let the last user that used Login With Facebook to log in without being logged in at Facebook. This is a security problem right? That means that If I use Log in with Facebook once, even if I logout facebook and the app in question the next person that uses the same option will be logged in at my own account!!
Thanks for any help clarifying this... :)

In your case - you have to remove the PHPSESSID cookie:
setcookie("PHPSESSID","",time()-3600,"/");

Related

Facebook Login/Logout Best Practices

I am implementing Facebook Login (for the web) for the first time and I had some questions regarding the users session and and the best practices for handling logout. Right now, I am using a combination of the JS SDK (only for login flow if js is enabled) and PHP SDK.
Question 1: Should I save the Facebook access token in a PHP session or use the built in "cookies: true" feature in the SDK.
Question 2: If a user that signed up via Facebook returns to the site after a few days, should they be auto logged in, or have to click a login via Facebook button, then just be logged in?
Question 3: If a FB logged in user logs out of my site, should I log them out of Facebook or just my site?
Question 4: If a FB logged in user logs out of Facebook while also on my site (different tab) should I automatically log them out of my site?
1) You can save the access token in a database (but be wary of the expiry date) or save it in a session. Cookies would be the easiest way to manage this and takes care of (2).
2) Depending on how your handle the sessions and the SDK you use, the use would automatically be logged in (e.g. JavaScript method FB.getLoginStatus() to detect if the app has already been authed). You should have a "Login with Facebook" button on your app in any case, for new users.
3) If you use the logout methods in the SDK (e.g. FB.logout() in JavaScript SDK), the user will be logged out of both your site and Facebook. This really depends on how you want to handle this. You can log them out if your site by deleting the session / cookie.
4) You should alway check to see if the user is logged in whenever an action is taken on your site. If the user logs out of Facebook while on your site, eventually, your site should pick it up (using FB.getLoginStatus()) and ask them to login again.
3) Facebook will decide if a user should be logged out of Facebook also or only your site/app, at least when using the JS SDK. From their docs, see link for some case examples:
"The method FB.logout() logs the user out of your site and, in some
cases, Facebook." - Facebook docs

facebook logout without sdk

How can I log out user from facebook without authorizing him myself?
I have a public IPad which people come to, authorize in my application and do stuff.
One of the links leads to m.facebook.com/sharer.php?u=..
When the user presses it, he is redirected to facebook, which asks for his login/pass and makes the share.
Later then the user press Logout on my site
I need to log out him from facebook some way,
so the next user who will use the ipad and press share will post to his wall and not to the first user's .
Same happens when i provide the iframe version of the Like button.
The first user logs in to facebook, makes the like, logs out of my web site,
and the next user see the like button pressed.
Thanks in advance ;)
I've just done some work with facebook recently on one of my projects and I used to visit a url to log them out it was something like
http://www.facebook.com/logout.php?redirect=your_url
It may not exactly be that as its off the top off my head but after visiting that the user got redirected to my site again logged out of facebook.
You may also have to provide a token.
Hope this helps!

Preventing facebook user to automatically login my site

well i have used the facebook api couple of times. But last day i just came across a site which was really new to me. Heres the scenario
If a user is logged in at facebook and comes to my site, he will
automatically be logged in without asking him and also if user logs
out of my site he gets logged out of facebook. But the site i saw
yesterday, they had handled it perfectly, user dose not logs in their
site automatically and even if user logs out from their site, he does
not gets logged out of facebook.
So any help? what is this technique called? or any relevant help?
Best Regards
most site handled the login/authenication by using the login status of the user at facebook ends.
to do what u wants, simply add an additional layer of authentication / login status checking at your own site.
The site level login status is to be retained only for the current session. In other words, once the user went away from the site, the site level login status is gone. With this, when the user returns, you know that he needs to login again.
when the user logged out from your site, you only log him out of your site and do nothing about facebook login
Using the Facebook SDK it will likely tell you the user is logged out when not logged into Facebook, which in theory is the correct behaviour of the whole system, as Facebook want user's to always be connected to Facebook, I quote facebook:
As long as the user is signed into Facebook, they are automatically signed into your site as well.
So if they aren't connected to Facebook, you aren't connected to other sites. In a way it's a deterrant and increases Facebooks market.
But anyhow, it's likely the site you are describing are implementing their own authentican system rather than using Facebook's own SDK, or if they are using the SDK they are using it in moderation and understand about cookies/the above.
The flow to allow the user to be logged into Facebook but out of your site is as so:
When a user logs out of their site, it will unset session data for the site's own application, and also unset Facebook cookies, etc. That way the user is still logged into Facebook but out of your site.
When they try to log in again, Facebook will detect no cookies are available and hence will re-authenticate and pass you onto the url as passed during the authentication process. Your site will then login the user to the site's own application, setting any session variables, etc.
you need to check how you are handling the FB logins and sessions at your end..
my guess is you check the is login at your site and there are some access_tokens which are as per your app id in the cookies of your browser which are helping you to log in ..
and when logging out from your site you are explicitly logging out the user from FB as well
( thats what you are describing atleast )
you seem to be explicitly calling logout or clearing the cookies for fb app id ..

Facebook C# SDK. How to automatic login user if they already login from facebook.com?

Here's the problem,
I want to have the user auto login to my MVC3 website if they already login from facebook.com.
If they are not login from facebook.com, I will just simply show a login button and they can login by clicking on it as usual.
I cant seem to find a way to detect whether user had login from facebook.com unless I force the application to direct go into LoginUrl of Facebook, which is not good for user who was not logged in as this will prompt them a page where they have to login. I still want to allow guest access without facebook account.
Any idea? Thanks a million.
EDIT:
Sorry I forgot to mentioned the situation only apply to user who approve to use my app. Once they approve to use my app, I'll be able to detect their facebook login status.
The answer is: You can't. At least not without violating the facebook TOS and probably at least one or two laws.
EDIT: Your original question sounded like you wanted to try and hijack the facebook user session. What you are talking about here in the comments requires you to use facebook connect / facebook for websites.
You would want to start here: https://developers.facebook.com/docs/guides/web

Help regarding Facebook Connect...!

I have completed the facebook connect process. I need to address the following issues....
If a user has authorised my application: then on pressing F5, he must automatically be signed in...
If the user logs out of my site, he must log out of faceboook as well, and then display a dialog message.
Please help
You could try to redirect the user to Facebook's logout page. I doubt it works but it might be the only possibility.
Why do you want to log the user out of Facebook anyway? As a user I'd be pretty pissed about that, but then again I don't know what kind of app this is so it might make sense in some custom Facebook interface or something.
You could do something like
logout
However, it's rather user-hostile: unless I (the user) have asked you to do that, why the **** are you logging me out of Facebook?