0

I have a webpage (in Drupal 6) which contains a Facebook like button, a comment box like. The Facebook receives through open graph tags the information which has to be shared. This site is not accessible for anonymous users, only for registered users.

When an anonymous user tries to open the site, he's redirected to the log in page. Here comes the problem: when Facebook scans the page to receive the information which should be shared, the site handles as anonymous user and redirects to the log in page. So the Facebook receives the log in page's information (image, description). Can I decide/verify somehow when the Facebook is trying to scan my site to avoid to redirect it to the log in page (somehow without Facebook API)?

MMMM
  • 1,319
  • 1
  • 14
  • 32
  • You can use in a manner so that if user is logged in then facebook api will be called or it will not call facebook api. Use a if else statement with you logged in user id – Neeraj Kumar Dec 02 '13 at 11:04
  • I don't would like to use FB API, if there is any manner to resolve the problem without. – MMMM Dec 02 '13 at 11:21
  • if you want to to use facebook like button then you have to use facebook API there is no other way out. – Neeraj Kumar Dec 02 '13 at 11:22
  • 1
    You can get the list of Facebook IPs (http://stackoverflow.com/questions/11164672/list-of-ip-space-used-by-facebook) and let them bypass authentication. Careful, though. – soulseekah Dec 02 '13 at 12:14
  • 1
    Using the IPs as @soulseekah recommends, and/or identifying the Facebook user agent `facebookexternalhit/1.1 (+http: //www.facebook.com/externalhit_uatext.php)` and not redirecting to the login page is the best way to approach this. – madebydavid Dec 02 '13 at 13:52
  • Thank you, guys, please add this as answer, I would like to accept it. I'm not sure who of you gave the better answer, soulseekah came first with the idea but madebydavid expanded it with the user agent - so who will add the first, i'll accept it :) thanks – MMMM Dec 02 '13 at 14:11
  • @madebydavid that is dangerous, as anyone can spoof a User-Agent header. Careful. – soulseekah Dec 02 '13 at 14:14
  • @soulseekah - true - but perhaps you can just load a simple page with only the open graph tags and an empty for the FB user agent. Or you can check both IP and user agent. Anyway - you can submit an answer. – madebydavid Dec 02 '13 at 14:15
  • @madebydavid Right, you can have the share link contain an extra param, say `fb=1` and if that's detected simply output nothing but the image, description and title without authentication. Might be more work though. – soulseekah Dec 02 '13 at 14:17

1 Answers1

1

You can get the list of Facebook IPs (List of IP Space used by Facebook) and let them bypass Drupal's authentication.

Another option is to override the description, image and title (see: Want custom title / image / description in facebook share link from a flash app).

Another option is to have an extra parameter, like fb=1 and generate the necessary tags for facebook to parse, that include the image, short description and title without any authentication required. Append fb=1 to your share links then. The facebookexternalhit/1.1 (+http: //www.facebook.com/externalhit_uatext.php) user-agent can also be sensed instead when generating share snippets (thanks @madebydavid). But be careful not to show or authenticate the user, since anyone can set the user-agent header or append fb=1 to your URL.

Stay safe.

Community
  • 1
  • 1
soulseekah
  • 8,770
  • 3
  • 53
  • 58