0

My goal is to use Facebook Login on a website with as few api calls as possible. I don't want to use any server-sided facebook api call on sites that don't interact with facebook at all. That means I only want to use api calls for logging in and publishing things. However I don't want to use Facebooks offline_access permission flag.

Here are some thoughts:

  • Use own sessions for the site instead of relying on Facebook sessions. So a user stays logged in even if the Facebook session token is expired. Otherwise the user will be logged out as soon as the token is expired and needs to click login again to get a new token or Facebooks JS SDK will auto-login but this still isn't perfect because the user will see the page in "logged-out state" and it will refresh as soon as the JS SDK got a new token. No-JS users have to click the Login button again.
  • Cache Facebook user data in database or memcache. Use Facebook API Subscription to keep the database updated. -> No need to ask the API for changes in the user's Facebook profile.

Problem:

  • While using own sessions the Facebook session token might be expired when trying to publish sth. on Facebook. So you have to abort the current script and get a new token by redirecting the user to Facebook or using the JS SDK. Then continue the script. This is pain.

My thought on how to solve the problem:

  • Instead of publishing things on Facebook using PHP you can also do this in Javascript. If the token is expired just get a new one using JS which does not require the page to be reloaded nor the page to be redirected to Facebook. However I want to support users with disabled Javascript and then this is not possible.
  • In my opinion the only useful approach is to use own sessions with cached user data and keep the people logged in even if the Facebook token is expired. But redirect them to Facebook and back as soon as Facebook interaction is required. This way the user won't see the page in "logged-out state", no Javascript is required and the user will be only redirected to Facebook Login if it's really needed. For Javascript users the Facebook JS SDK will renew the token (which is then stored in a cookie) without the user noticing this as the user is still logged in (using the own session handling).

What do you think? Is there another (better?) approach to do this? My last point quite seems doable but isn't there an easier way? Thanks.

Eliasdx
  • 2,190
  • 2
  • 23
  • 33
  • I don't get what you're trying to acomplish. You want the user to remain logged in even when they are not logged in? – Elad Lachmi Apr 03 '11 at 13:52
  • I want to write applications in PHP and use Facebook as Login Provider. Using own sessions I can keep the user logged in on my side even if the Facebook token is expired or the user logs out on Facebook. – Eliasdx Apr 03 '11 at 13:54
  • Isn't the point of using Facebook as a login provider that you don't need to take care of these things? – Elad Lachmi Apr 03 '11 at 13:58
  • Yes but I don't want the user to see my website as guest once the token is expired and I don't want to check against the API if the user is still logged in on every page visit. However I could check using cookies if the user was logged in before and if the token is expired (saving expiration time in cookie) and HTTP redirect directly to Facebook if user WAS logged in and token IS expired. However if the user revoked the permission he will always see the Facebook auth page instead of a guest-view of my site. – Eliasdx Apr 03 '11 at 14:10
  • You can run the FB.login method on each $(document).ready(), it will not re-login the user if they are already logged in. What you can do is save a cookie saying the user has been authenticated before and run FB.login only when you need to interact with facebook. – Elad Lachmi Apr 03 '11 at 14:14
  • I already thought about that but the main question is what to do when a _PHP_ script needs to interact with facebook and the token is (just) expired. – Eliasdx Apr 03 '11 at 14:17
  • You need to re-authenticate. Nothing else to do. If you don't want to use PHP sdk you can insert the javascript code to re-authenticate in to the page and then call the PHP code again after authentication. – Elad Lachmi Apr 03 '11 at 14:20

1 Answers1

1

I had this exact same issue when creating an authentication system for my website. Like Elad Lachmi said, you can run FB.login on each page load - but this will cause a quick popup flash (gets very annoying).

My solution actually ended up requiring me to use offline_access. It seems that there is just no other appropriate way to keep the user logged in if they leave your site for a couple of hours.

Here's the (potential) catch:

  • Log the user in via Facebook without offline access
  • On each page, use jQuery to write an iframe to a specially formed URL which uses FB.getLoginStatus, and set it to refresh every 15 minutes

This combination should, every 15 minutes, fetch the most up-to-date user session ID from Facebook. It will cause it to be updated when it is close to expiration.

Please note that I haven't tried this, and it may be against the Facebook ToS. But it is really the only solution without using offline_access if you want to keep a user logged in for more than 2 hours without requiring them to refresh a page.

Colin M
  • 13,010
  • 3
  • 38
  • 58