Ok, so i have created a facebook login for a website.
The site has a user account overlay. When the user has a std account the user checks are simple as i am querying my own server. Each page load I run 'isUserLoggedIn()'..
However, if the user logs in with facebook.. things get a little different.
What if the user logs out of facebook? Am i expected to logout the user from my website? If so this would require a call to facebook each and everytime a page was loaded.. what ahve other people done with scenarios like this?
I was thinking that I could check every tenth server request to see if the user is still logged in with facebook?
Or do people not bother and only log the user out of their site when the user specifically logs out of the website?
Related
I currently use the Facebook JavaScript SDK to retrieve the e-mail address of the current logged in user in Facebook. So a user clicks Log-in, their email address is displayed in a form field, then they either register or log-in (if they have previously registered).
I have been asked to make it so clicking "Log-in" actually logs them in to the site automatically. I do not understand how this is possible as currently to log-in you require a username and password.
Do I need to actually insert a user into the website's backend?
Not sure if this is allowed but www.dealdash.com is an example of what I need. If you click Log in in the top right of the screen then Sign in with Facebook - it asks you for permission and then afterwards you are logged in.
I found this graph once, that was very helpful.
I've managed to have an user sign in for my website through Facebook. It works this way:
User goes to my website and chooses to sign in with Facebook
Users goes to Facebook to authorize my app
If the app is authorized, the user comes back to my website and gets registered into my database
The user remains logged in via a cookie set by my website
I store these pieces of information from Facebook: username, email and ID.
What should happen if:
User logs out from Facebook and is still logged into my website? I still have that cookie and session that lets the user remain online, so even if the user isn't logged on Facebook, my users still can benefit from my website. Is this behavior normal or should it be avoided?
An user removes my Facebook App from his authorized apps list? The user is now part of my database, but the user removed the app from his account. How should I deal with this? How can I check if the App->Website connections are still valid for that user? If an user removed the app from his account, should I also remove him from my database? If yes, again, how do I make that check?
There are quite a few other things that are puzzling me and I think I should dedicate another question to those later on.
I'm using Facebook PHP SDK for all these tasks.
P.S: I only use Facebook as an authentication method for my website, nothing more.
To answer your question here are few things we do for the facebook connect
If user choose to create an account with the FB connect, we grab the
details like firstname,lastname, email, fb_userid and then save to
our database.
If the same user when comes user has to click on the FB login button and we check in our database if the API return fb_userid is in
our database and process the login and give access to the user pages.
So ideally we never store the fb_userid in the cookie and next time if the user comes just do the autologin.
Now what if user remove the app from FB, since we do not allow auto login by cookie saved data the user must click on the login button and then re-authorized the app. Since the fb_userid is already in our db, we detect the user after giving permission and let them login.
We have one advantage in our case , i.e. our web app requires monthly subscription so user has to pay for that. So usually people who do want to continue they come to our web site and cancel the account, we then remove the user info and that way fb_userid is also removed at our end. This makes us not to worry what if user remove the app from their FB, since if someone has to cancel they will do it from our website since they are in monthly recurrent billing.
I suppose in your case its not as above point, so you can do the following without violating any terms and conditions
Do not store the session in cookie and make user login with FB button
each time they come to your website. Also make a small note on your
website next to FB login button as "what is this ?" as may be a tool
tip and mention that the website will store the users fb_userid and
this will not be shared with any 3rd party.
Also mention that in case they remove the app from their facebook the id will be still there in our database and create
a cancel account page where user can cancel the account, but that
needs the user to be logged in. Once they cancel the account remove
the FB id from your DB.
Finally I dont think any API call could be used to see if the user has removed the app for offline users, but people who have logged to your site using the FB connect different permissions could be checked as
$permissions = $facebook->api( "/me/permissions" );
If the app requires Facebook, then you need to test the cases you mention and generate appropriate error messages. Beyond that, you just provide obvious ways for your user to clean up, like a working uninstall command.
I downloaded the Facebook-sdk for php and played around with it for a while.
So they have this example file, where user info is showed:
facebook-facebook-php-sdk-98f2be1/examples/example.php
It only shows user info after accepting the app.
Maybe that's not even possible/allowed...
But I what to know if a user is logged into facebook, not into my app.
I don't need his name, id, etc, nothing... Just want to know IF he there is a Facebook session in the background. Reason: I want to redirect users who are not logged in to Facebook elsewhere, because maybe they don't even have a facebook account.
But I w[an]t to know if a user is logged into facebook, not into my app. […] Just want to know IF he there is a Facebook session in the background.
That’s not possible.
Without having a user connect to our app first, you get virtually nothing, no info whatsoever.
Update:
The PHP SDK now has a method getLoginStatusUrl that can provide that info.
It can determine three different states – a user logged into Facebook, logged out of Facebook, or unknown. It works by redirecting the user’s browser to Facebook to make the check, and then redirecting to three different URLs of your app that you can specify.
(Of course this’ll work without using the PHP SDK as well – you will just have to look into it’s source to see what the exact URL it creates is, then you can redirect the user there yourself.)
I am using the oauth method in order to allow a user to sign into my website with Twitter and Facebook. I also plan to add Yahoo! and Google as well such as Stack Overflow does. Once the user logs in with Twitter successfully they have the option of logging out.
I want to make it to where when the 'Log out' button or link is selected, the user is logged out of my site AND TWITTER. I need it to log out of Twitter also in the case that the user is accessing my website and not Twitters. How do I do this?
Demo and example at: develop.f12media.com
The user clicks on 'Login' at the top of the page to log in with their Twitter account.
Redirecting the user to http://twitter.com/logout will probably work.
But don't do it. OAuth isn't meant to behave that way. Just log the user out of YOUR site.
Logging in to your site via OAuth doesn't necessarily log them in at Twitter, so logging out via your site shouldn't log them out either.
In Facebook it can be done easily because facebook provides logout.php and it takes next=sendBackURL as param.
so when user clicks on Logout button of your application, we can just invoke above logout URL, which will log out the user and smart facebook URL next=sendBackURL will send to your application login page.
But the above seems difficult in twitter, but I think if I do the same, then user will be on Twitter site but he will be logged out of both ur application and twitter.
so it can be by sending authorize?force_login=true, it will be called or will get redirection just after your application logs out user from your site, and user will be directed to Twitter again, I have tested it logs out user from twitter, although it will ask twitter credentials again, but no issue, user can just ignore that.
If Twitter can also provide some logout url, which takes next URL, it will be easy.
Whether or not the user is authenticated on the Twitter site is between the user and the Twitter site. You don't have access or control to that. You only have control over your auth token for that user on your site. You could expire the user's auth token when they log out of your site, but that only affects their Twitter authentication through your site. All that would accomplish is making it so they have to authenticate with Twitter again the next time they log into your site.
I think you're trying to accomplish something you don't need to here. This is the expected flow of OAuth and you shouldn't be worrying about logging the person out of a 3rd party site.
I have a facebook application in my website. When someone is already logged in to my website, I have the offline_access of his facebook account, but when I put a like button, it always asks for login to facebook again.
Everything else works, like printing the posts, photos, etc. But the simple action of liking something, doesn't. How can I make it work using the php-sdk api?
I'm presuming that you have just used the like button code from here. What's happening when they click that button it's not going THROUGH your website but rather taking a bit with it to facebook. So it takes your URL to facebook and they do the whole posting bit... therefore if the client is not logged into facebook it'll ask them to login.
What you can do is use a curl posting script through your website and that should post whether they are logged into the facebook main site or not provided they logged in with the offline_access.
Please tell me if you need more information or if I have mis-interpreted what you meant.
Regards,
Jon
I guess you are misunderstanding the behavior of the offline_access permission:
Enables your application to perform
authorized requests on behalf of the
user at any time. By default, most
access tokens expire after a short
time period to ensure applications
only make requests on behalf of the
user when the are actively using the
application. This permission makes the
access token returned by our OAuth
endpoint long-lived.
This would mean, even if the user is logged off, your application will still have access to it's account BUT this DOES NOT mean that you can capture/monitor if the user is back on your website again until he is logged to his FB account again.
So offline_access will never know if the same user is currently on the page and "automatically" log him to his FB account!