Facebook canvas Iframe App authentication problem - facebook

I am in the conversion process of facebook app from fbml to iframe.
Now i am testing using few iframe pages.
$user = $facebook->require_login();
It gives the current user logged in. Once it get the variable from the facebook.com it saves in cookie by the PHP API provided by facebook).
I logged out using another tab of facebook and i tryed using my app without refreshing the whole site (by just using the links inside my app). It still gives the $user variable.
It indicates that user has logged in instead of user logged out.
Please help me out. I want my app secured.
It looks my iframe app accessible when we select "open this frame in new window".
I need a solution for this too.
Thanks in advance.

You are logged in as far as you are logged in facebook. You will have to create custom PHP's session handling. However, if you want to remove the user from application's cookies, you can do this:
//this will clear cookies for your application and redirect them to a login prompt
$facebook->set_user(null, null);
$facebook->redirect($appcallbackurl);

You can use the JavaScript SDK to subscribe to the logout event via FB.Event.subscribe and reload the page if that happens:
FB.Event.subscribe('auth.logout', function(response) {
setTimeout('window.location.reload()', 0);
});
(Wrapping in setTimeout() is required as a work-around for Firefox.)
To prevent users from using "open this frame in new window," you can check if the page is loaded in an iframe with if(window == window.top) or if the signed_request is available. If not, redirect to the tab URL.

Related

Redirect from Activity post to specific canvas (iframe) page [duplicate]

I am embedding a Facebook app https://example.com into the Facebook app canvas so that it is available at https://apps.facebook.com/EXAMPLE . My application sends notification emails that contain links like https://example.com/messages/123 and that should open the page embedded into the Facebook canvas. How do I achieve this? My current thoughts:
User opens https://example.com/messages/123
Application checks for signed_request parameter
Application redirects user to https://apps.facebook.com/EXAMPLE/?requested_page=/messages/123
Application checks for requested_page parameter and redirects to this page
User sees https://example.com/messages/123 URL and is embedded into canvas
Is there a better pattern out there to get this working?
My final working solution (with Ruby on Rails)
User opens https://example.com/messages/123
Application checks on client-side if app is embedded in canvas:
if(window == top){
top.location = "https://apps.facebook.com/#{Settings.facebook.app_id}#{request.fullpath}";
}
User is redirected to https://apps.facebook.com/EXAMPLE/messages/123
Application middleware converts POST into GET if signed_request is present (code and idea borrowed from https://github.com/dekart/facebooker2/blob/master/lib/facebooker2/rack/post_canvas.rb)
Application parses signed_request with fb_graph gem
FbGraph::Auth.new(app_id, app_secret, :signed_request => params[:signed_request])
I'd just update the link to point to http://apps.facebook/example/messages/123 off the start.
When you check for authentication just set the redirect after authorization/login to the same page.
Redirecting a user around multiple pages for no reason is just not a good practice.

How to redirect the user to the log in page in a Facebook App

I am hosting a Facebook app on Google app engine, I need to make sure the user is logged into facebook before anything.
What I can currently do is display facebook's log in button using fbxml, but I prefer the user would be redirected to Facebook's log in page if he wasn't logged in, then back to my app's main page, this way I can make sure that the user is logged in before doing anything.
I am new to Facebook apps, I read here that I can redirect the user to
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL
in order to authenticate him. But using GAE's self.redirect(url) doesn't work, the page stays the same. I was hoping I could do something like this in my handler:
if u'signed_request' in self.request.POST:
facebook.load_signed_request(self.request.get('signed_request'))
if not facebook.user_id:
self.redirect("https://www.facebook.com/dialog/oauth?"+
"client_id={0}&redirect_uri={1}"
.format(FACEBOOK_APP_ID, EXTERNAL_HREF))
return
but as i said earlier this doesn't work.
I'm assuming by 'Facebook App' you mean a Canvas App - so something that will live at https://apps.facebook.com/YOUR_NAMESPACE from a user perspective?
If so, you'll need to add the redirect via Javascript using window.top, as your app is loaded in an iframe. See https://developers.facebook.com/docs/appsonfacebook/tutorial/ and search for 'top', then view the example toward the end of the page.
There are also good examples on the Php Sdk that facebook provides. I like the with_js_sdk.php example. It runs seamlessly and is good to follow.
https://github.com/facebook/php-sdk
http://developers.facebook.com/docs/reference/php/

Change App Landing Page

I have created a facebook app that works properly, but when it is searched for on facebook, the user is redirected to an app landing page (http://www.facebook.com/apps/application.php?id=111111111). How can I make it so that the user is redirected to the app instead (http://apps.facebook.com/myapp/)?
Thanks a lot.
You can check the window's parent location using JS. window.top.location If it's not in the URL that you are expecting then redirect.

Auto Login facebook user into application

So, Here is the scenario I am trying to fix.
A returning user is logged into facebook but not logged into the application. In this case when the user tries to load the application, since the user cookie is not attained yet, it redirects the user to the login page.
I googled around and found this solution,
FB.Event.subscribe('auth.sessionChange', function(response) {
if (response.session) {
window.location.reload();
}
}
basically whats happening here is, we are registering to facebook for a login/logout event and when it receives a response, we reload the page. Now its loads the right page since we have the user cookie on our site domain after the first load.
this works, but the problem is the double load. It takes a lot of time.
How can I attain the user cookie on server side for returning user? so that I don't have to do the initial page reload.
Also, I have looked at yelp, and somehow they are able to load the user information without doing double load, does anybody know how they are able to do it?
Any help is greatly appreciated,
Thanks!
Try using iframe to load login page again, just containing that; and you can pull data from iframe in sync.

Sharing on Facebook from public kiosk -- user can't logout from FB!

I have a website that is designed to be run at a kiosk at public events. I want users to be able to share a page from this site on Facebook without leaving their Facebook session logged in. This is not a Facebook Connect site (there's no login to synchronize w/FB), all I have is a link for sharing that goes to Facebook's sharer.php:
share this
It allows the user to log in and posts the link fine, but then closes the window and leaves the user logged in. There is no option for logging out, so the next user that comes along and wants to share has the previous user's FB account logged in!
Seems like this just changed when Facebook's UI changed recently; previously it would redirect to the user's profile page after posting, from which they could log out.
How can I fix this? Any recommendations on the "right way" to allow sharing with FB from a public kiosk?
EDIT:
I have entered an enhancement request on bugs.developers.facebook.com (http://bugs.developers.facebook.com/show_bug.cgi?id=9903) to have sharer.php auto-logout the user if a login was required. Please vote for it to get some attention from FB!
My current solution is to force a logout from facebook in the window.onbeforeunload event using a hidden iframe (code below). My site is currenly only intended for the public kiosk, so this is acceptable. For sites intended for public and private use at home, this is probably too brute force and will annoy users.
window.onbeforeunload = function() {
if (do_fb_logout) {
iframe = document.createElement("iframe");
iframe.setAttribute('width', '0px');
iframe.setAttribute('height', '0px');
iframe.setAttribute('frameborder', '0');
document.body.appendChild(iframe);
doc = iframe.contentDocument;
if (doc == undefined || doc == null)
doc = iframe.contentWindow.document;
doc.open();
doc.write("<html><head></head><body>");
doc.write("<form id=fbForm name=fbForm method=POST action=http://www.facebook.com/logout.php >");
doc.write("<input type=hidden name=confirm value=1 /></form>");
doc.write("<script type='text/javascript'>document.getElementById('fbForm').submit();</"+"script>");
doc.write("</body></html>");
doc.close();
}
}
I have tested this so far on Windows browsers FF 3.6, IE 7, and Chrome.
One idea that comes to mind is to give the link a target='_blank' and at the same time redirecting the "mother" page to the Facebook main page using JavaScript. That way, when the window closes, the user will at least have Facebook in front of them.
However, that page will show a "not logged in" status because it was called before the user logged in. Can't think of a way around that except for some ugly frameset frequently refreshing the facebook page - uggh.
Another way that comes to mind is opening the sharer link using a JavaScript mywindow = window.open("http://www.facebook.com/......") and then frequently polling whether mywindow still exists. If it does not (= the window was closed), redirect to the Facebook main page which will show the user's profile and a logout button. Still, also uggh because it's complicated and shaky. Hmmm.
Definitely report this as a bug to Facebook, you're probably not the only one experiencing it.