I have an implementation of Faceebook connect and I have noticed that if you are already logged in to facebook and hit connect, you wont be prompted for your login credentials (because it takes current session data).
Is there anyway to make Facebook connect not use the currently logged in user and force each connect to enter their login/pw?
Actually I believe if you already have the facebook application installed, it bypasses a 2nd window.
This is possible using re-authentication. Quoting:
In apps where security is very important, you may want to double-check someone's identity - perhaps before they make a purchase within the app, or use it to access some sensitive personal data.
To prevent situations where a user could leave a device logged in or man-in-the-middle hijacking of the user session, re-authentication forces a person to re-enter their Facebook password before they can continue to use your app.
For more information, see:
https://developers.facebook.com/docs/howtos/login/client-side-re-auth/
Go to facebook App settings. under Advance tab look for "Force Web OAuth Reauthentication" make that YES. and save it.
From now on your login will ask for user password every time even if facebook browser session is present.
Related
I have an application which asks for a registration through facebook but before a user can proceed to the registration, the system should first determine if there is an active session. If a user is logged in to facebook, it should then automatically logout for a fresh start.
But here is where I'm stuck. The SDKs only let the user log out from facebook if he is connected to your app. It uses the app's access token. But what if he is still not registered to your app? Their log out means to log out from your app, and not really from facebook.
My requirement :
1. How can i log out from facebook.
2. How can i clear the browser cookies?
Not on a specific app but the whole facebook session.
[from comments] But to use the getLogoutUrl() function, the user has to be connected to your app. What I need is to logout from the whole facebook and not just from the app
If the user is connected to your app, then the URL provided by the getLogoutUrl method does that – log the user out of your app (web-app) and out of facebook.com.
If the user is not connected to your app however, you don’t have an active user access token – and then logging out of Facebook is not possible. The obvious reason being that if it was, every website that I visit could log me out of Facebook in a “drive-by” manner – without me actively wanting that, so people would get annoyed quite quickly.
If a user is logged in to facebook, it should then automatically logout for a fresh start.
If this is a security consideration, then you are in fact looking for re-authentication, which can be done using the auth_type parameter, quote from docs:
In apps where security is very important, you may want to double-check someone's identity - perhaps before they make a purchase within the app, or use it to access some sensitive personal data.
To prevent situations where a user could leave a device logged in or man-in-the-middle hijacking of the user session, re-authentication forces a person to re-enter their Facebook password before they can continue to use your app.
Be aware to use the server-side Auth flow though – because in the client-side flow, using the JS SDK, there is a bug that allows the user to bypass re-entering his password by simply closing the popup, which is still open: https://developers.facebook.com/bugs/248632218597467 (Has been assigned Priority: High, but received still nothing more than a “we will follow up” response yet.)
Use the logout.php url.
https://developers.facebook.com/docs/reference/php/facebook-getLogoutUrl/
Basically,
http://facebook.com/logout.php?next=YOUR_NEXT_URL_FOR_LOGOUT&access_token=USER_TOKEN
1) logging out from facebook by using
facebook=>getLogoutUrl();
2) clearing the session by using :
$facebook->destroySession();
example:
Log Out
logout.php page codes as follow:
<?php
require 'facebook.php';
$facebook->destroySession();
header( "location:index.php" );
?>
I am working with integration of a website with facebook.
I have a specific requirement where-in the user should get logged-out from facebook if he/she doesn't grant permissions to my facebook-app (on first use).
Now, If user denies access for my facebook-app, I am redirected to the redirect_uri, but the problem is that on the page that handles the redirection, I cannot log the user out from facebook since my app won't have permission to perform logout.
Can anyone please tell me what is the workaround I could try?
I have a specific requirement where-in the user should get logged-out from facebook if he/she doesn't grant permissions to my facebook-app (on first use).
Is this in a very special environment (like a kiosk application or something) …?
Because otherwise, I’d hate it if random apps logged me out of FB while I’m browsing on my own computer, just because I don’t want to connect to them.
Now, If user denies access for my facebook-app, I am redirected to the redirect_uri, but the problem is that on the page that handles the redirection, I cannot log the user out from facebook since my app won't have permission to perform logout.
Can anyone please tell me what is the workaround I could try?
I don’t know any workaround – to perform a log out on behalf of the user, you need a valid access token – doesn’t matter, if you’re trying to do it client-side or server-side.
If that wasn’t the case, any website I’m visiting could log me out of Facebook, and that would be really annoying to users.
We have exactly the same problem. We've developed a kiosk application used to checkin and post HD photos.
If the user does not accept the permissions we need to reload the application because we can't logout the user in another way.
We've tried different ways but no one was successful
I'm trying to write application for user login to website via Facebook. When user is logging in, he's redirected to http://www.facebook.com/dialog/oauth/?client_id=APP_ID&redirect_uri=REDIRECT_URL&state=STATE, then sees confirmation dialog to use permissions and all goes well. But then FB somehow remembers this application and never asks for permissions confirmation again when user opens this url. Is there any way to always show this dialog? I could do it in Twitter, but couldn't found the answer for Facebook.
If you really want this for some reason, uninstall the app from the user's account with a HTTP DELETE request to /USER_ID/permissions using your app access token.
The next time they come back they'll need to re-authorise the app.
Otherwise, no, there's no way that I'm aware of apart from the reauthentication flow to force the auth dialog to appear, but bear in mind that the reauthentication flow may prompt the user to re-enter their Facebook password even if they're already logged into Facebook, so it adds extra friction to the process
Instead of showing the Facebook OAuth dialog, you could also show the user a page on your application that has some information about the Facebook account that is going to be used (picture/name etc), to log into it. That way, if they like they can choose to log out and re-authenticate or continue knowing they have the right account.
I am developing and testing a facebook app for which I have granted the permissions with my facebook account. Then the app is authorized to access my info, etc. nicely. The next time I close the browser, reopen it, login to facebook successfully then access the app, facebook wants me to login to that app again. I can access the current user id, but how can I automatically authorize the app (if the user has already authorized in the past) without needing the user to press that dread 'Login' button again and again upon each session's end?
UPDATE - offline_access has been deprecated. Read this post for more details: https://developers.facebook.com/roadmap/offline-access-removal/
You will need to request a token that has offline_access so that you can use their authentication token over and over again. Then you will need to set a cookie yourself that stores something indicating who the user is. Facebook does not support a "remember me" feature in their authentication so you have to build it yourself. Store the access token in your database and set the cookie to identify the user.
Unless you are building this for a very specific reason like an app that runs on work computers only, I would really encourage you to not implement this feature. The facebook connect authorization is well understood by users and is very easy to use. You are going to get a lot more security if you make your users press the button every time. Just make sure you make this optional. You never know if somebody is on a public computer.
How to handle seesion in facebook .
when user logs into my appliaction i want to keep the user logged in always which means that every times the user will open the application, he will not need to make login again.
and when the user enter to my iphone applicaiton, the user should be shown as loggedin, and when i try to post to the user wall facebook tells me that the session is inavlid.
Do what the browser does: hold onto the session cookie. When it is unavailable or expired, submit the user's credentials again. It is probably best to expire the session cookie whenever the app exits, and use saved credentials when you start the app again.
Also note that it is a security risk to not require a logon each time the app starts. If the phone is stolen, the thief can use it to access the user's Facebook account. At the very least, be nice and ask for the user's permission before caching their password, and warn them about the risks.