I have a desktop application that uses facebook authentication in offline mode. There is no session key as the app returns me an access token.
It stores the access token and allows the user to post to facebook at other desktop app locations around an event.
The problem I'm having is that after a user goes through the oauth, I can't clear the session data for the next user.
I've tried deleting all the cookies, but that causes a facebook script error when the next user tries to authenticate...
I'm simply looking for a way to remove the session cache from the machine and not cause javascript errors...
This is the closest I've found to anyone figuring this out. It doesn't work for me, though:
http://forum.developers.facebook.net/viewtopic.php?id=84232
My problem is that I can't log the user out if they haven't authorized my app and returned an access token yet.
Related
I have an application which asks for a registration through facebook but before a user can proceed to the registration, the system should first determine if there is an active session. If a user is logged in to facebook, it should then automatically logout for a fresh start.
But here is where I'm stuck. The SDKs only let the user log out from facebook if he is connected to your app. It uses the app's access token. But what if he is still not registered to your app? Their log out means to log out from your app, and not really from facebook.
My requirement :
1. How can i log out from facebook.
2. How can i clear the browser cookies?
Not on a specific app but the whole facebook session.
[from comments] But to use the getLogoutUrl() function, the user has to be connected to your app. What I need is to logout from the whole facebook and not just from the app
If the user is connected to your app, then the URL provided by the getLogoutUrl method does that – log the user out of your app (web-app) and out of facebook.com.
If the user is not connected to your app however, you don’t have an active user access token – and then logging out of Facebook is not possible. The obvious reason being that if it was, every website that I visit could log me out of Facebook in a “drive-by” manner – without me actively wanting that, so people would get annoyed quite quickly.
If a user is logged in to facebook, it should then automatically logout for a fresh start.
If this is a security consideration, then you are in fact looking for re-authentication, which can be done using the auth_type parameter, quote from docs:
In apps where security is very important, you may want to double-check someone's identity - perhaps before they make a purchase within the app, or use it to access some sensitive personal data.
To prevent situations where a user could leave a device logged in or man-in-the-middle hijacking of the user session, re-authentication forces a person to re-enter their Facebook password before they can continue to use your app.
Be aware to use the server-side Auth flow though – because in the client-side flow, using the JS SDK, there is a bug that allows the user to bypass re-entering his password by simply closing the popup, which is still open: https://developers.facebook.com/bugs/248632218597467 (Has been assigned Priority: High, but received still nothing more than a “we will follow up” response yet.)
Use the logout.php url.
https://developers.facebook.com/docs/reference/php/facebook-getLogoutUrl/
Basically,
http://facebook.com/logout.php?next=YOUR_NEXT_URL_FOR_LOGOUT&access_token=USER_TOKEN
1) logging out from facebook by using
facebook=>getLogoutUrl();
2) clearing the session by using :
$facebook->destroySession();
example:
Log Out
logout.php page codes as follow:
<?php
require 'facebook.php';
$facebook->destroySession();
header( "location:index.php" );
?>
A lot of apps keep user logged in until user manually logs out like facebook, dropbox, etc.
I am wondering how they achieve it? There might be several approaches:
1)Do they store the username and password in a local storage, and automatically log the user in when they open the app again after a long time?
2)Or do they get a long-lived token from the server, and once the user login at very first time, the app gets a token from the server, later on they just use the token? The token will be valid until user manually logout from the app.
For #1, it will only work for native login, if an app supports "log in with facebook or twitter" it won't work.
So I just want to get an idea about how people achieve this feature? Is there any articles talk about it?
Most services like Facebook and Twitter use OAuth to manage the user session.
I use this external framework... https://github.com/nxtbgthng/OAuth2Client
It took me a while of reading and setting up to get right but it works now.
When the user logs in they get an auth token that contains an expiry date. When the expiry date comes the system automatically refreshes the token.
When I send a request to the server I send it via the OAuth framework and it adds the authorisation automatically.
EDIT from #avs099: I'm starting the bounty on this post as I have exactly the same issue. I summarize the problem here, and leave the post itself without any changes at the bottom for the reference.
What we have: Facebook page access token, obtained as described here: Authenticating as a Page and which live was extended to 60 days with new fb_exchange_token request.
What is the problem: this token works for some time - sometimes I can post hundreds of photos to my fan page in the period of several days; sometimes it's literally few photos - and then I start getting either
(OAuthException) Error invalidating access token: The session has been
invalidated because the user has changed the password.
or
(OAuthException) Error invalidating access token: Session does not
match current stored session. This may be because the user changed the
password since the time the session was created or Facebook has
changed the session for security reasons.
exceptions from the Facebook - but of course I did not do change password or deauthorized the app.
Additional information: Not sure if that matters but:
Sometimes I start using token few days after I request it from the Facebook
Token is requested (by the C# backend) from the server
which is located in a different geographical region from the desktop
app which posts photos to the fan page.
It happens sometime that several different desktop apps post photos from different PCs (i.e. different IPs I guess)
Anybody has a clue what's going on and how to resolve this?
Thank you.
I have a facebook app that serves two purposes:
1) Allows users to facebook connect with my site
2) Allows my site to post to my sites facebook fan page wall
What I'm concerned about is the 2nd usage. I used to be able to set the permissions for an app on a fan page to just allow posting (via the php sdk) without any concern about an access token. Now I've created some new fan pages and that functionality seems to have been removed. Alright, so I go through the whole process of getting an access token (successfully) for the user (always me or another admin of my facebook fan pages) and use that token to get the access tokens for the fan pages I manage (I have the manage_pages permission and so do the other admins for the pages I want to post to). However by the engine gets around to posting content to my fan pages the tokens have expired with one of two error messages:
Error invalidating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.
or
OAuthException: Error invalidating access token: The session has been invalidated because the user has changed the password.
But this isn't an access token dependent on outside users, only internal people (me and one other guy right now). We aren't changing our passwords or doing anything. I've even tested it by logging out of facebook after acquiring tokens and it works fine. It's just after a little while they expire for no reason that I can determine. When I get the tokens I can check them on the debugging tool and they are supposed to last 60 days (according to the doc) although the tool says they never expire.
I've set up the system so when it fails to post to the page I get an email with the link to my site to update the tokens.
Anyone have a clue what's going on?
As Mikhail pointed out, if you get an error reporting that the token is invalid cause user has changed the password. Odds are you are requesting a new token somewhere hidden in the code, when you already have a valid one.
Possibly related to this bug? https://developers.facebook.com/bugs/241373692605971?browse=search_4fb4832bcaf7b1549293950
I have the same problem in my app - sometimes tokens expiring.
One of the find reason: sometimes my app ask for new token while old token is valid and FB return an error or i couldn't save new token for some reason.
After that old token expire - only one token for pair user-app may be valid.
You can fetch the unauthorized token so a new token is requested (or whatever you like).
I can provide a nice explanation but you can read it all here:
https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/
A temporary solution is to ask the user to delete the application from it's profile, and allow it again.
I had same problem and resolved it "reinstalling the app to users facebook applications". it may help you if nothing answers to problem.
To do that:
facebook user who is facing the problem goes to its facebook page
he/she removes your app from his/her application list.
Retry to login via facebook sdk on android.
Per the SDK, I am using the logout.php with redirect:
https://www.facebook.com/logout.php?confirm=1&next={SOME URL}&access_token={ACCESSTOKEN}
It is logging me out fine, but it's also logging the user out of facebook. Isn't there a way of logging out of my OAuth session without logging out of facebook?
Yes, I ran into this same issue myself. Dont do logout.php or JS SDK's FB.logout(). Rather call the Graph API with an HTTP Delete command to me/permissions. That will kill the access token, remove the app from the user's app listing and maintain their browser's cookie for facebook. You can call it either server side or client side. Here's the client side Javascript SDK way:
FB.api("me/permissions","delete", function(response){/*do something if you want*/})
This is one of the many annoying things about developing on the Facebook platform. The only way to log out via a browser session is to use their javascript logout function or the redirect like you tried but either will also log the user out of Facebook which is very annoying from a users perspective. The problem is you can't access the cookie they set for your app to delete it due to cross-domain restrictions so you are stuck with the limited options Facebook provides. If you are not prompting for offline_access, you could just forget the users access token and it will expire after an hour. Although the problem still exists that the cookie is still set for within that hour.
I am the owner of a facebook like page. I want to grab the news feed using php and output it on my website. I know that I can do this using a valid access token:
https://graph.facebook.com/my_app_id_here/feed?access_token=My_access_token_here
Problem access tokens expire so I know I need to authenticate periodically to get a new access token.
This is where the problem and confusion arises for me. When I read the authentication guide in the facebook dev docs all it talks about is first authenticating the user to get a authorization code from the user and then authenticating the app using the app secret, app id and auth code fromthe user. But this doesn't apply to my situation - I never have a authorization code form the user - all I'm trying to do is access the feed from a php script running on my server....a user is never involved.
Any ideas anyone?
User has to approve your application only once, and later use they can just access your app and use it without approving
Since you are the owner of the like page, I guess you are also the administrator. What you can do in this case is create an offline access token for this (and only for that) user.
You can then use this access token for your script. No user needs to authenticate anything if you only want to grab the feed of your page with the access token of your administrator.
This token never expires except for changing the user's password or taking away permissions again. Look at this answer to see how to create such an offline access token!
It seems offline_access is no longer available. Now you only get a short-lived access_token and you can ask for a long lived one, which is also renewable. You can't get a permanent one though.