I want to implement facebook connect on my site. I have used the oauth api to obtain a permissions request for the app.
However, I am having the following problem.
If a user signs into my site for the first time using facebook connect, i need to create a new username / password for him (on my site) to be able to surf my site and have all the session variables set. However, what should i use as the username / password ?
I understand that a facebook user can change his email address.
How do i handle users who are logging in using facebook connect for the second or third time (who are already members of my site) ? I need not create a user for them on my site as its already created when he logged in for the first time. Do i check for email address to see if the facebook user's email address exists in the database ? Also, comes the same problem that a facebook user can change his email address.
What is the one thing that does not change for a facebook user that i can use for his username ? Also, what do i use for his password ? Also, i understand that if i use username/password from available app data, then using normal mechanism a user can login to my site too. How do i prevent this security hole ?
Please help.
I use the information that facebook send in the callback (facebook unique user id or normal id)and then check if the user is on my database, if not i insert him but i leaving blank the othe rstuff like password or user email (also you can request that info too check the line 418 in the php api and add "'req_perms' => 'email',")because i can retrive that data when they connect again and then set the sessions like allways.
if the users change teh email just check that on every login and update the data.
example:
$facebook = new Facebook(array(
'appId' => 'xxxxxxxxx',
'secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'cookie' => true,
));
$session = $facebook->getSession();
$me = null;
// Session based API call.
if ($session) {
try {
$uid = $facebook->getUser();
$me = $facebook->api('/me');
} catch (FacebookApiException $e) {
error_log($e);
}
}
// login or logout url will be needed depending on current user state.
if ($me) {
$logoutUrl = $facebook->getLogoutUrl();
} else {
$loginUrl = $facebook->getLoginUrl();
}
if ($me) {
if (!isset($_SESSION["usr_id"])){
$_SESSION["usr_id"] =$me['id'];
$_SESSION["usr_name"]=$me['name'];
// or do your sql verification and then set the sessions
}
}
/////////////////////////////////////////////
Facebook offers user's unique ID. You can recognize user with this information.
Related
The long story
I'm currently working on a site, that restricts some of its content to registered users (users, who have filled the registration form) and facebook users (who have authorized the site to access their informatin). I'm using a cookie to store which type of login was used the last time the user was on that site. 0 stands for "no previous logins" or "user logged out", 1 for "registered user" and 3 for "facebook user". If a facebook user has logged in to their facebook account, I want the site to log the user in ONLY if the cookie is "2" (the previous login was done using facebook login). Otherwise, I want the user to click "facebook login" button. By default, it opens a popup and closes it immidietly. How can I prevent the popup from showing up at all and sending the user to a specific URL instead?
For those who don't understand my messy talk or just want to get to the point
I have a facebook login button (<fb:login>) and instead of a popup, I need it to redirect the user.
Use FB.getLoginStatus() Javascript SDK function to check the login status of users. See: http://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
Use the PHP-SDK:
<?php
require 'facebook.php'; # The SDK
# Create our Application instance (replace this with your appId and secret).
$facebook = new Facebook(array(
'appId' => 'APPID',
'secret' => 'APPSECRET',
));
# ----------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------
// Get User ID
$user = $facebook->getUser();
/* We may or may not have this data based on whether the user is logged in.
If we have a $user id here, it means we know the user is logged into
Facebook, but we don't know if the access token is valid. An access
token is invalid if the user logged out of Facebook. */
if ($user) {
try {
# Proceed knowing you have a logged in user who's authenticated.
$dt = $facebook->api('/me'); # User Data
$lk = $facebook->api('/me/likes'); # User like's Data
} catch (FacebookApiException $e) {
error_log($e);
$user = null;
}
}
# ----------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------
# Handler for Login Status
if ($user) {
$logoutUrl = $facebook->getLogoutUrl();
} else {
# This is the User LogIn URL, and if the user hasn't already given your app the permissions this url will ask him/her for that.
# After the 'scope' is where the permission are written.
$loginUrl = $facebook->getLoginUrl(array("scope" => "email,user_birthday,user_likes,user_work_history,user_location,user_education_history"));
}
# -------------------------------------------------------------------------------------
if (!$user): header ('Location:'.$loginUrl.''); # This is where we check if the user is logged in to facebook or not, if not, the user will be re-directed to the log in page.
else:
# If the user is logged in, do some code...
endif;
?>
I'm using the php sdk v3.0.1.
I am trying to get offline access from users.
When my app requests permission from the user, it does so for the currently logged in user. I'd like to first check if a facebook account is logged in, and if so display a message. for example:
User "John Doe" is currently logged in.
then I'd have a link to "log out" or a link to continue to the permission page.
I was trying this but it always returns 0:
$facebook = new Facebook(array(
'appId' => 'XXX',
'secret' => 'YYYYYYYYY',
));
// Get User ID
$user = $facebook->getUser();
if($user)...
else...
the if statement always fails and then when the else is procesed and I send them to the login page, it requests permission for the currently logged in user (which I don't want).
I've searched extensively and can't find an answer. :-/ Any help or suggestions would be appreciated. I'm completely new to the facebook api.
Basically you would like authentication and permission requests to be separate. Correct me if I'm wrong about that. So you can just send users through a plain authentication step:
$loginUrl = $facebook->getLoginUrl();
and then later send them through again with the proper permissions.
$arg['req_perms'] = "[permissions here]";
$loginUrl = $facebook->getLoginUrl($arg);
This will get you a separate login and permission request step.
I'm using Facebook OAuth interface but can't get immediate mode parameter working. Do you have any idea how that works with FB or any other url to use instead?!
(I don't/can't use FB JS libraries.)
A great way to make users login into your website with their Facebook account is to use the Facebook PHP SDK (see on github). So you will have something like :
require "facebook.php";
$facebook = new Facebook(array(
'appId' => YOUR_APP_ID,
'secret' => YOUR_APP_SECRET,
));
$user = $facebook->getUser();
If the user is logged in, then $user is his Facebook ID. You then have to check if you have a valid access token by making an API call :
If it does not raise any exception, then you have a valid access token
If it does, then you have to re-authenticate the user.
Here you go :
if ($user) {
try {
$facebook->api('/me');
} catch (FacebookApiException $e) {
$user = null;
}
}
You need then to display the login or logout link :
<?php if ($user): ?>
Logout of Facebook
<?php else: ?>
Login with Facebook
<?php endif ?>
When the user is logged in and you have a valid access token, you can make API calls to get data from Facebook :
$user_profile = $facebook->api('/me');
You may want to check the example page of the Facebook PHP SDK which is well documented.
Hope that helps.
I have extracted following url from FB php-sdk (which Quentin reminds me):
https://www.facebook.com/extern/login_status.php
?api_key=<your app-id or api-key>
&no_user=<callback url>
&no_session=<callback url>
&ok_session=<callback url>
&session_version=3
When you redirects user to above url (or open it as an iframe or popup) Facebook silently/immediately redirects backs user/browser to:
no_user when user has NOT signed in.
no_session when user has signed in but has NOT authorized your app yet.
ok_session when user has signed in and already authorized your app. Additional parameters (user identification and required token) will be appended to this url by FB which you need to validate.
For example:
https://www.facebook.com/extern/login_status.php
?api_key=123456789012345
&no_user=http://example.com/signin/fb/no_user
&no_session=http://example.com/signin/fb/no_session
&ok_session=http://example.com/signin/fb/ok_session
&session_version=3
Put them in one line whit no spaces and don't forget to encode urls if needed.
See OpenID Immediate mode to find out why this is useful.
If you are developing java based application, in that case you can use SoicalAuth library.
http://code.google.com/p/socialauth/
I'm doing an app for facebook anb i've requested permission for grab his information, but the data wasn't been saved.
The problem now is that I need their e-mail that was authorized before but I can't grab now. Now I know that I should have asked also the 'offline_access' permission.
:-/
Is there any other way to grab the e-mail now?
Somehting like some script on my FB page checking if the user has been authorized to know his e-mail, and if Yes, I grab the info, or something like that?
Thanks..
You have to get your users to re-visit your application and use a valid access token to fetch/store their e-mail address. You can't get access to a user's email address without a valid access token (either an offline_access token, or a standard one)
Well, that was the solution that saved me:
Sending to my e-mail all users that came back to my app, as I was looking for one e-mail specific (but I could save in the database instead)..
Enjoy,
Diego Trigo
#Creating the facebook object
$facebook = new Facebook(array(
'appId' => 'APP_ID',
'secret' => 'APP_SECRET',
'cookie' => true
));
# Let's see if we have an active session
$session = $facebook->getSession();
if($session){
try {
$facebook_id = $facebook->getUser();
$_fb_profile = $facebook->api('/me'); //if not null valid session
$facebook_name = $_fb_profile['name'];
$facebook_link = $_fb_profile['link'];
$facebook_email = $_fb_profile['email'];
mail('myemail#domain.com',$facebook_name,$facebook_email);
//echo "authorEmail = '$facebook_email';";
}
catch (FacebookApiException $e) {
//nothing..
}
I know I can request:
https://graph.facebook.com/me?access_token=ACCESS_TOKEN
But 'me' which refers to the 'active user' which presumably is the user logged on to facebook on this machine which would be the server, I need the facebook user at the clients end user_id so my server can make requests to the GraphAPI about that user using the format:
https://graph.facebook.com/USER_ID?access_token=ACCESS_TOKEN
I guess you are missing the fundamentals of the user authentication concept which is not only related to Facebook.
Let us assume that two users A & B visited domain.com/fb_profile.php, which contains (the example file from the PHP-SDK):
<?php
require '../src/facebook.php';
$facebook = new Facebook(array(
'appId' => 'APPLICATION_ID',
'secret' => 'APPLICATION_SECRET',
'cookie' => true,
));
$session = $facebook->getSession();
$me = null;
// Session based API call.
if ($session) {
try {
$uid = $facebook->getUser();
$me = $facebook->api('/me');
} catch (FacebookApiException $e) {
error_log($e);
}
}
// rest of code
They both logged in successfully, and the page reloaded. What happened now is that we have a valid session for both users!
And when the fb_profile.php is requested from the user A (client) the $facebook->api('/me'); will be holding the "active user" details from that specific request (client)! and your machine (the server) will be holding the sessions for all the logged in users!
So each time fb_profile.php is requested from a client with a valid session, the result of executing $facebook->api('/me'); will be related to that specific session from that specific client!
So what have you said here (in bold) is wrong:
But 'me' which refers to the 'active
user' which presumably is the user
logged on to facebook on this machine
which would be the server
And by the way, when you have a valid session both:
$facebook->api('/me');
And:
$facebook->api('/USER_ID');
Will return the same info (of course the USER_ID is the id of the user logged in on the client-side).
Looking at the source code of the SDK's I found they parse the user_id from the access token:
/*
* access_token:
* 1249203702|2.h1MTNeLqcLqw__.86400.129394400-605430316|-WE1iH_CV-afTgyhDPc
* |_______|
* |
* user id
*/
BUT one shouldnt have to do this as instead of requesting the token your app should redirect them to the landing page following which facebook will re POST the signed_request with the access_token and user_id. The facebook documentation on authorisation (it seems to have since been updated) wrongly told ones app to request token but that is only applicable for websites not apps. I find it annoying how the facebook docs keep telling one how simple it is yet they fail to simply explain it and get wrong anyway...