Checking if a user is logged in to Facebook - facebook

I'm building in Facebook integration into my website with the php sdk.
The website use offline_access. According to the Facebook platform rules you have to provide a log out link that logs the user out of Facebook.
What I don't want to do is displaying the log out link if the user is not logged in to Facebook since they may confuse it with the reauthorize button. (If they are not logged in, the link wouldn't do anything...)
Is there anyway I can check if the user is logged in on Facebook?
My thought was to use the getUser() method to see if I got the user, if not then I proceed with setting the access token I have and I would know if the user is logged in or not.
However, the getUser() method checks if the protected $user variable is already set and if so return it. That makes the getUser() method unusable when I've set the access token and need to check again if the app has access.
I guess I could do it super easily by changing the $user variable to public and set it back to null in my app but I don't want to edit the sdk unless I really have to.

I think you should only be showing the "log out" button if the user is both logged in and authorized. In my experience, you normally do not know if the user is logged into Facebook if they have not authorized your app. And anyway, if they click to authorize your app they are prompted to log in at that point if they are not logged in anyway.

Using the php SDK, there are 2 ways to check the users login status:
$facebook->getUser(); // provides user id of logged in user
$facebook->getAccessToken(); // provides access token of logged in user
If you absolutely need to check to see if the user is logged in, then set the access token and check again, nothing is stopping you from creating a separate instance of a facebook object and setting the access token yourself.
However, not sure why you would want to do this, as if you have an access token that was obtained with the offline_access privilege it's always valid (until user deauthorizes or changes password), and if you don't have offline_access, you should use the one that is provided in the signed_request or code.

Related

Facebook> force a Device logout BEFORE access token is generated

I have a kiosk application which allows image uploads to fb.
After a successful upload the user is automatically logged out by passing the access token to Facebook.com/logout.php
But, after first logging in there are 2 permission dialogs the user must approve. If the user walks away or the application times out when the permission screens are viewable, the user remains logged in. I am unable to log the user out since the access token does not exist yet!
This is the actual facebook graph API call I use to logout
https://www.facebook.com/logout.php?next='+SERVER_IP+'/logout&access_token='+ACCESS_TOKEN
Hope this makes sense...

Facebook Access Token Invalidation Upon Password Change And How Pinterest gets new access token

I want to know how Pinterest and other sites maintain there session and access facebook APIs even after the user changes his/her facebook password, since as far as i know facebook invalidates the access token issued once the user changes his/her password.
Please help :)
Not sure on the exact implementation Pinterest uses, but if a user changes there password, the oauth token will be invalidated and you MUST have the user re-login. This is a security feature so for example, in the event of a hacked account, the user can change his/her password and all tokens will be invalidated (imagine what would happen if this wasn't the case... Your account gets hacked, they authorise there own scam app to have full access to your account, you reset your password... oh they still have full access to your account as they have a oauth token).
On this page you can see what error is produced in the event of a password change and your app must detect this and handle it

How to logout from facebook or destroy an active session using php?

I have an application which asks for a registration through facebook but before a user can proceed to the registration, the system should first determine if there is an active session. If a user is logged in to facebook, it should then automatically logout for a fresh start.
But here is where I'm stuck. The SDKs only let the user log out from facebook if he is connected to your app. It uses the app's access token. But what if he is still not registered to your app? Their log out means to log out from your app, and not really from facebook.
My requirement :
1. How can i log out from facebook.
2. How can i clear the browser cookies?
Not on a specific app but the whole facebook session.
[from comments] But to use the getLogoutUrl() function, the user has to be connected to your app. What I need is to logout from the whole facebook and not just from the app
If the user is connected to your app, then the URL provided by the getLogoutUrl method does that – log the user out of your app (web-app) and out of facebook.com.
If the user is not connected to your app however, you don’t have an active user access token – and then logging out of Facebook is not possible. The obvious reason being that if it was, every website that I visit could log me out of Facebook in a “drive-by” manner – without me actively wanting that, so people would get annoyed quite quickly.
If a user is logged in to facebook, it should then automatically logout for a fresh start.
If this is a security consideration, then you are in fact looking for re-authentication, which can be done using the auth_type parameter, quote from docs:
In apps where security is very important, you may want to double-check someone's identity - perhaps before they make a purchase within the app, or use it to access some sensitive personal data.
To prevent situations where a user could leave a device logged in or man-in-the-middle hijacking of the user session, re-authentication forces a person to re-enter their Facebook password before they can continue to use your app.
Be aware to use the server-side Auth flow though – because in the client-side flow, using the JS SDK, there is a bug that allows the user to bypass re-entering his password by simply closing the popup, which is still open: https://developers.facebook.com/bugs/248632218597467 (Has been assigned Priority: High, but received still nothing more than a “we will follow up” response yet.)
Use the logout.php url.
https://developers.facebook.com/docs/reference/php/facebook-getLogoutUrl/
Basically,
http://facebook.com/logout.php?next=YOUR_NEXT_URL_FOR_LOGOUT&access_token=USER_TOKEN
1) logging out from facebook by using
facebook=>getLogoutUrl();
2) clearing the session by using :
$facebook->destroySession();
example:
Log Out
logout.php page codes as follow:
<?php
require 'facebook.php';
$facebook->destroySession();
header( "location:index.php" );
?>

How can I get facebook to prompt for authorization for my app every time?

I'm writing an app that will allow a user to log in to multiple facebook accounts. Basically I'm just going to store the authorization token for each account and use them as needed, so the authorization is just to get that token, not to actually log the user into facebook. As such, I want the user to have to enter their credentials every time, even if they're currently logged in to facebook. I authenticate the accounts like this:
https://graph.facebook.com/oauth/authorize?
client_id=...&
redirect_uri=http://www.example.com/oauth_redirect
How can I tell facebook to authenticate every time? I'd also like to remove the "remember me" option, so that they aren't logging into the browser with the account that they enter here.
There is a parameter that you can pass to force authentication: auth_type=reauthenticate. For example: http://graph.facebook.com/oauth/authorize?client_id=184484190795&redirect_uri=https%3A%2F%2Fwww.fbrell.com%2Fecho&auth_type=reauthenticate.
Edit: There is documentation for this here: https://developers.facebook.com/docs/reauthentication/.
You can logout the user using FB.logout:
https://developers.facebook.com/docs/reference/javascript/FB.logout/
Caveat: it is against Facebook policy for users to have more than one profile.

How can I avoid asking users to login (connect) to my facebook app again and again?

I am developing and testing a facebook app for which I have granted the permissions with my facebook account. Then the app is authorized to access my info, etc. nicely. The next time I close the browser, reopen it, login to facebook successfully then access the app, facebook wants me to login to that app again. I can access the current user id, but how can I automatically authorize the app (if the user has already authorized in the past) without needing the user to press that dread 'Login' button again and again upon each session's end?
UPDATE - offline_access has been deprecated. Read this post for more details: https://developers.facebook.com/roadmap/offline-access-removal/
You will need to request a token that has offline_access so that you can use their authentication token over and over again. Then you will need to set a cookie yourself that stores something indicating who the user is. Facebook does not support a "remember me" feature in their authentication so you have to build it yourself. Store the access token in your database and set the cookie to identify the user.
Unless you are building this for a very specific reason like an app that runs on work computers only, I would really encourage you to not implement this feature. The facebook connect authorization is well understood by users and is very easy to use. You are going to get a lot more security if you make your users press the button every time. Just make sure you make this optional. You never know if somebody is on a public computer.