I have an app within which I submit data to Facebook, I have the login and everything working perfectly, storing user credentials in the user defaults upon successful login.
The problem I am having is that there seems to be no way of detecting when a user has logged out of either the Facebook app or using Mobile Safari. This means that my app is tied to one and only one user for its lifetime.
I do not want to put a 'Logout' button in my app, if I had one then I could easily call the logout method and delete the user credentials meaning a new user could authenticate with my app, but that's not a possibility.
Does anyone know of a way I can check if a user is logged in and if so get their Facebook ID? This way I could force authorisation again if either there is no one logged in or the credentials of the logged in user and saved credentials do not match.
Thanks
I think the issue and the confusion here is that FB has implemented "Single Sign On (SS-On)" but not "Single Sign Out (SS-Out)".
The way SS-On works is that if you have previously logged in on your app, you will have the token stored on your app. This means that even though you have logged out on the FB app and perhaps then subsequently logged in as another user, as long as your app still has the token from the previous user, you can still access the previous user data.
What you could do is closeSessionAndClearToken on your app when it goes to background. This might or might not be the desired behavior for you. Note that this means everything your app come back from active from background, it will need to do the whole drill of SS-On all over again everytime.
- (void)applicationDidEnterBackground:(UIApplication *)application
{
[FBSession.activeSession closeSessionAndClearToken];
}
You can use
if([facebook isSessionValid])
{
// 1. Either the user has logged out
// 2. Or the user has changed the password
}
Related
I wonder what kind of workflow other people have had when logging in with facebook.
I have an app that requires signup. People can also signup by logging in via facebook. That part has been integrated.
However, when a user signs in with facebook (which means: facebook page open and requires login), my workflow
takes the user to a screen where he needs to create a username (as having a username is required).
After the user picked up a username, then I create this new user, save the facebook token and generate a password.
Now, automatically, the user will be logged in in my app.
Next time the user opens the app, in background, I will login the user taking the email (which originally was fetched from facebook) and the password, which are stored in local storage.
But what if the user logs out or delete the app and reinstall it? I have seen that this happens some times. In that case, the workflow (if the user clicks on facebook login on my app) will take the user again to facebook. And after he logs in in facebook, he will come back to my screen where he can choose a username. This is bad. Because I already created an account for the user with the email binded to that facebook account.
Of course, I can understand that this user that logs in via facebook already has an account. But what can I do? Can I just login him in background? Are there any security implications (yeah, my app is not that sensitive, but I would prefer to use best practice).
Yes, if the user already logged in once, the expected behavior is to be logged in again on future visits to the app. If the user passed the Facebook login, you can safely assume that it is the same user imho.
I have a page tab app. The authorization works fine - the user clicks the authorize button on the app, the OAuth dialog pops up, they authorize the app, it redirects back to the page tab and the user goes about their merry way, using the app.
I need to know one thing, and for the life of me I cannot find a real answer - is it possible to identify the one http request that occurs immediately after the user authorizes the app? I simply want to log the user's data when a user authorizes the app, without having to hit the database and test if the facebook user id has already been logged. You'd think this would be easy...
THank you for your time.
Yes, you can do with help of the signed_request
Read here how to handle authroization in page tab.
simply, when user comes to app
- check user_id exits in signed request, if not exist, then he has not authorized.
- Store some variable in session
- when user logs in, check whether session variable exists or not. if exists, its a fresh install.
I have an app which user can login using twitter and facebook to login, had no issues with twitter as the access token never expires, however facebook does. In my app I can connect fb account if user login twitter and vice versa. Facebook is basically used to share something to user's wall. The issue that I am having now is that when a user tries to share something using their facebook account and the access token expires it pops up a login screen and after I login it doesn't share it anymore. So what is the best way to maintain this token? I've never had any experience using any other app that asks me to login again... how do they manage with this tok
I believe you have to ask the permission "offline_access", this makes your access token last until the user decides to remove your application. In which case, you can decide to remove from your database his data or not via the deauthorization URL.
See you need to understand that Facebook and Twitter works differently.
You can essentially store the accesstoken in NSUserDefaults as:
[[NSUserDefaults standardUserDefaults] setObject:_facebook.accessToken forKey:#"fb_access_token"];
[[NSUserDefaults standardUserDefaults] setObject:_facebook.expirationDate forKey:#"fb_exp_date"];
(I suppose you are already doing that)
the token lasts until date expiration, user changes account password, or user removes your application. in which case you will get an exception.
after getting an exception, you have to log in again and get the new token,and if you want to post the message again, the dialog-box will appear.
and since the FBDialog is a WebView, you cant perform the action without tapping on publish.
I'm implementing facebook connect for my iPhone app. The current facebook SDK would keep you logged in unless you log out explicitly, which is fine with me as stay logged in is actually the requirement. However, I don't want the users to go press the log in button if they never logged out. In this case, I won't be able to grab the facebook object, which I'll need in other parts of my app. So I was planning to simulate the log in event anyways, but that led me to another problem: even though permissions are granted to my facebook app before, it will still pop up the authorization dialog to my users saying they have granted permissions to my app. My question is, how do I hide this? Or, is there a way that I can grab the valid facebook object without calling authorize on my facebook object when my app is restarted and the user stayed logged in?
Any suggestion would be appreciated.
You could redirect the user to https://www.facebook.com/login.php?api_key=<YOUR_APP_ID>. (This is the URL that the PHP Facebook SDK returns when you call getLoginUrl()).This will avoid the dialog and still allow users to authorize your app.
I am developing and testing a facebook app for which I have granted the permissions with my facebook account. Then the app is authorized to access my info, etc. nicely. The next time I close the browser, reopen it, login to facebook successfully then access the app, facebook wants me to login to that app again. I can access the current user id, but how can I automatically authorize the app (if the user has already authorized in the past) without needing the user to press that dread 'Login' button again and again upon each session's end?
UPDATE - offline_access has been deprecated. Read this post for more details: https://developers.facebook.com/roadmap/offline-access-removal/
You will need to request a token that has offline_access so that you can use their authentication token over and over again. Then you will need to set a cookie yourself that stores something indicating who the user is. Facebook does not support a "remember me" feature in their authentication so you have to build it yourself. Store the access token in your database and set the cookie to identify the user.
Unless you are building this for a very specific reason like an app that runs on work computers only, I would really encourage you to not implement this feature. The facebook connect authorization is well understood by users and is very easy to use. You are going to get a lot more security if you make your users press the button every time. Just make sure you make this optional. You never know if somebody is on a public computer.