Facebook API - javascript sdk: status shows 'connected' after logout

Question

I'm using the Facebook sdk for javascript in a AngularJS website.

I'm trying to prefill a registration form using a Facebook login. In the first time, the facebook modal appears, I enter my information, it logs in and I get the data I need, as expected.

Then I complete the registration, log in the system. And log out the system, while also performing a Facebook logout.

Then I went back to create a second registration, expecting to test the registration with a different facebook account...

But when I hit Facebook login to prefill the form, instead of the sdk showing up the Facebook login modal again for me to enter a new login, it performed a login with my previous data.

When I went to check the reason, I've discovered that the facebook status says 'connected'. I was expecting to be disconnected, since I've successfully performed a facebook logout.

I'm I wrong in assuming this? How can I disconnect the first user to be able to use a different facebook account on my second registration?

To login, I'm using:

var deferred = $q.defer();
FB.getLoginStatus(function(response) {
    if (response.status === 'connected') {
        console.log('already logged in.');
        deferred.resolve(response);
    }
    else {                    
        FB.login( function(response) {
            if (response.authResponse) {
                console.log('response: ' + JSON.stringify(response));
                var access_token = response.authResponse.accessToken;
                console.log('access token: ' + access_token);    
                console.log('Welcome!  Fetching your information.... ');
                deferred.resolve(response);                            
            } else {
                console.log('User cancelled login or did not authorize.');
                deferred.reject('Error occured');
            }
        }, {
            scope: 'public_profile, email, user_birthday',
            return_scopes: true
        });
    }                        
});    
return deferred.promise;

And my logout is like:

var deferred = $q.defer(); 
FB.logout(function(response) {  

    // I've tried with and without this line of code: 
    FB.Auth.setAuthResponse(null, 'unknown');           

    console.log('FB service logged out');
    deferred.resolve(response);
});
return deferred.promise;

From this reference Facebook JS SDK FB.logout() doesn't terminate user session I tried to use FB.Auth.setAuthResponse(null, 'unknown'); after the logout, but it didn't work for me.

Are you sure you have been logged out of Facebook? FB.logout only does _that_, if the user logged into Facebook while logging in to your app. If they were already logged into Facebook before, then it will only log them out of your app. (And the latter is a bit pointless, if you have the SDK set up to recognize returning users automatically, because it will then log them in automatically again once they visit your site.) — CBroe, Sep 19 '17 at 08:29
It's not an app, it's a website (I will update in my question). So I have a facebook login button in the website that opens up the facebook modal for login and returns me some user data. And I use that data to login into my website. ...Later on, when I log out the user from the site I also call the facebook logout. I don't know why, but seems it's not working as expected. — João Otero, Sep 19 '17 at 09:20
It _is_ an app, it is just running on the website platform. // Again, if the user was logged into Facebook before already, then this will _not_ log them out of Facebook. And if they are logged in to Facebook, the JS SDK will “recognize” them at the next page load. What do you need this for anyway? Since people are only allowed to have one personal Facebook account, logging multiple users in and out on the same device is not a usual use case ... — CBroe, Sep 19 '17 at 09:38
Well, imagine that different people share the same desktop. In a cyber cafe, for example. And my website has a "connect with facebook" button. How do I log out users from the facebook sdk? — João Otero, Sep 19 '17 at 18:22
My expectation is indeed that the sdk would recognize a returning user that is logged in the _current_ facebook page, and log them in automatically. However, the sdk should not infer that the once logged in facebook account will still be the same every time, since people could disconnect from facebook and reconnect with a different account. — João Otero, Sep 19 '17 at 18:29
Well if you inherit the previous person's session in an internet cafe, then something is seriously wrong ... — CBroe, Sep 19 '17 at 18:41
I'm making some tests here. When I logout from facebook.com it seems I get the behavior I was expecting. Maybe I was assuming that the sdk logout would also logout the current session in facebook.com and it doesn't happen, it seems — João Otero, Sep 19 '17 at 20:37
As I said at the very beginning, whether FB.logout logs the user out of your app and Facebook, or your app only, depends on whether they were already logged in to Facebook before they logged in to your app, or if they only logged into Facebook during the process of logging in to your app. — CBroe, Sep 20 '17 at 07:30
Hi @CBroe. I finally got what you're saying and did some changes. Now the nature of the problem have migrated into another issue, which I posted here: https://stackoverflow.com/questions/46565954/angularjs-user-was-not-connected-after-a-successful-fb-login Please, see if you can help. — João Otero, Oct 04 '17 at 13:22

score 2 · Answer 1 · answered Nov 26 '18 at 16:06

2

I was having a similar issue and solved it by having a Facebook disconnect button in the user profil which calls the API:

DELETE /{user-id}/permissions/

https://developers.facebook.com/docs/graph-api/reference/user/permissions/

E.g. with the Javascript SDK:

// remove permission, so that the user is asked to authenticate the app again
// or another user can login on the top right of the login popup

FB.api('/me/permissions', 'delete', {
  access_token: user.accessToken            // use existing token from database
  }, (r) => {
   if(r.success) user.accessToken = null;   // remove token in database
});

answered Nov 26 '18 at 16:06

Andreas Richter

738
6
20

Do you know of a way to remove the session on logout? It is still sticking around. – james emanon Mar 02 '19 at 23:31
@jamesemanon You have to be more precise which session / logout you mean. Do you mean the logout of the user on Facebook, or the logout from your website? See also https://stackoverflow.com/questions/2764436/facebook-oauth-logout – Andreas Richter Mar 04 '19 at 15:07
logout of the user on my app (not facebook proper). But I have multiple tabs open, and I might be logged in from the fb app. BUT, when I call logout from my app, it should clear everything.. it doesn't. It still allows the user to bypass the login (me in this testing example). I also tried deleting the permissions on the logout callback, didn't work. – james emanon Mar 04 '19 at 18:35
Facebook just gives you Authentification, your app will (most likely!) have a separate session / account system that is just linked with the Facebook account. It depends largely on what Framework / etc. you use. If you use vanilla FB API, without anything else, it should just work with FB.logout() also across tabs. – Andreas Richter Mar 05 '19 at 08:10

Facebook API - javascript sdk: status shows 'connected' after logout

1 Answers1