I've managed to have an user sign in for my website through Facebook. It works this way:
User goes to my website and chooses to sign in with Facebook
Users goes to Facebook to authorize my app
If the app is authorized, the user comes back to my website and gets registered into my database
The user remains logged in via a cookie set by my website
I store these pieces of information from Facebook: username, email and ID.
What should happen if:
User logs out from Facebook and is still logged into my website? I still have that cookie and session that lets the user remain online, so even if the user isn't logged on Facebook, my users still can benefit from my website. Is this behavior normal or should it be avoided?
An user removes my Facebook App from his authorized apps list? The user is now part of my database, but the user removed the app from his account. How should I deal with this? How can I check if the App->Website connections are still valid for that user? If an user removed the app from his account, should I also remove him from my database? If yes, again, how do I make that check?
There are quite a few other things that are puzzling me and I think I should dedicate another question to those later on.
I'm using Facebook PHP SDK for all these tasks.
P.S: I only use Facebook as an authentication method for my website, nothing more.
To answer your question here are few things we do for the facebook connect
If user choose to create an account with the FB connect, we grab the
details like firstname,lastname, email, fb_userid and then save to
our database.
If the same user when comes user has to click on the FB login button and we check in our database if the API return fb_userid is in
our database and process the login and give access to the user pages.
So ideally we never store the fb_userid in the cookie and next time if the user comes just do the autologin.
Now what if user remove the app from FB, since we do not allow auto login by cookie saved data the user must click on the login button and then re-authorized the app. Since the fb_userid is already in our db, we detect the user after giving permission and let them login.
We have one advantage in our case , i.e. our web app requires monthly subscription so user has to pay for that. So usually people who do want to continue they come to our web site and cancel the account, we then remove the user info and that way fb_userid is also removed at our end. This makes us not to worry what if user remove the app from their FB, since if someone has to cancel they will do it from our website since they are in monthly recurrent billing.
I suppose in your case its not as above point, so you can do the following without violating any terms and conditions
Do not store the session in cookie and make user login with FB button
each time they come to your website. Also make a small note on your
website next to FB login button as "what is this ?" as may be a tool
tip and mention that the website will store the users fb_userid and
this will not be shared with any 3rd party.
Also mention that in case they remove the app from their facebook the id will be still there in our database and create
a cancel account page where user can cancel the account, but that
needs the user to be logged in. Once they cancel the account remove
the FB id from your DB.
Finally I dont think any API call could be used to see if the user has removed the app for offline users, but people who have logged to your site using the FB connect different permissions could be checked as
$permissions = $facebook->api( "/me/permissions" );
If the app requires Facebook, then you need to test the cases you mention and generate appropriate error messages. Beyond that, you just provide obvious ways for your user to clean up, like a working uninstall command.
Related
On my site i gave two options for user to login FB and Twitter, I successfully got user info from both APi's, now I want to handle facebook and twitter users in my MySQL database as one user.
For example : If someone registers with his FB profile and later if same user logged in with his Twitter account .I want to identify the user then.
Can it be possible? Any how?
if the user has used the same email address for facebook and twitter accounts, then if you have used the oauth settings to have carnal access to the facebook and twitter accounts then you could pick this out and compare them, but it's terrible practice.
on your own app do you ask for additional information? could you put in a branch that if a user is entering in data that you already have then you ask them if they are the same user? possibly checked by password?
Could you supply more information if i have misunderstood?
Margaret
Twitter and Facebook accounts are not generally linked, there is no way for you to find out automatically if they belong together. Even the email address could be misleading.
But is this even necessary? I would assume that a user that decides to log into your site via Facebook will always use Facebook. When they decide to user their Twitter login instead, they will expect to have a separate account.
You could give users the ability to "link" their accounts. When they have logged in via Facebook, provide a button "Add Twitter account" and vice versa. Then you can be sure that the person owns both accounts. This could even work when a user has multiple Facebook or Twitter accounts.
It is possible, however you would need to have a facebook field and a twitter field in the user table, and you would need to provide the user with the means of associating their existing account with their twitter / facebook account (whichever they weren't already using).
Personally I would favour having a user table which requires neither facebook nor twitter, but can use both. That we, Google+ people can use your site without being offended.
In my website I have put up Login with Google, Login with Facebook and Login with Twitter.
But if the same user logs in using different providers, ie. the user first logs in using Facebook and then logs out and then logs in using Google I need to identify that both are the same person.
Currently what I am doing is that if the Facebook and Google accounts has the same email id I combine the accounts. The problem is that if the user is logging in using Twitter I wont be getting their email Id which means I cant uniquely identify them.
Does anyone have any other solution ? Thanks
You might consider linking users fb,gmail or twitter to a local db on your site,
Alternate method
Whenever user logs in using any method generate a userid generated from your mysql db and save to a cookie, next time user logs in via any method retrieve the ip and cookie details and update your mysql database accordingly.
Next time user logs in , your system will know about their particulars.
Hope it helps.
I've set up a facebook login for my site, using the faceboko php-sdk example.php method. It's working fine, but I want a user who has already allowed my site once to be automatically logged into my site, if they're logged in facebook.
Currently, if a user who has previously 'allowed' my application visits my site while logged in with facebook, they need to click login with facebook, then they are redirected and logged-in. Even though after that click, they don't need to provide any credentials or anything. Thus I would just like this step to be removed and for a user to be automatically logged in.
I hope that makes sense. Thanks
This is discussed on their site.
http://developers.facebook.com/docs/guides/web/#login
Facebook Platform uses OAuth 2.0 for
authentication and authorization.
While you can add login to your site
using OAuth 2.0 directly (see our
Authentication Overview), the open
source JavaScript SDK is the simplest
way to use Facebook for login.
[...]
In order to log the user into your
site, three things need to happen.
First, Facebook needs to authenticate
the user. This ensures that the user
is who they say they are. Second,
Facebook needs to authenticate your
website. This ensures that the user is
giving their information to your site
and not someone else. Lastly, the user
must explicitly authorize your website
to access their information. This
ensures that the user knows exactly
what data they are disclosing to your
site.
http://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
By testing for the presence of the
session object within the response
object, you can be sure the user is
known to your application and you can
begin to make further calls to the
Facebook APIs. If the session object
is not present, the user is either not
logged into Facebook, or has not
authorized your application.
http://developers.facebook.com/docs/authentication/
Check the client side flow section to see when you get the authentication token you need to be passing around.
If the user is already logged in, we
validate the login cookie that we have
stored on the user's browser,
authenticating the user. If the user
is not logged in, they are prompted to
enter their credentials
I have a problem of thinking of how to integrate 3rd party login (also do silent register) on website where already is used regular login/register system.
Basically current login is quite regular:
As user enters website session
class determines if he need to
re-login.
When user login all kind of sessions and cookies are set and
user get access to restricted areas.
Users table in mysql has quite a lot fields also password fields.
What i wondering is how you create user entry in the same database table if it's not there and do full (silent) register for that facebook user.
Well i'm not sure what you mean by silent register, but you can simplify your regular signup process if the user is connected to Facebook.
This is what we do:
When a user comes to our website (unauthenticated - no cookie set in browser), we check to see if this user is connected to Facebook
If the user is connected to Facebook and has connected before, we "sign them in" to our website
If the user is connected to Facebook and has not connected before, we do a call to the Facebook Graph API to grab some user details (name, email, etc), redirect the user to our signup page and fill in most of the details using the Facebook info we just received.
We have a seperate database table for Facebook users - we store the Facebook Unique ID and the user's email address.
The email address is very important - this is what we use to perform a single sign on, as the user's Facebook email address should match the email address for the website.
OpenID is a safe, faster, and easier way to log in to web sites.
:D
use open id ...
there is many lib in this address http://wiki.openid.net/w/page/12995176/Libraries
each user can login with user in facebook and gmail and you must give each user id and relation models for access
I am also new to this but got some idea how to do and i would like to share it.
You can use the Javascript API provided by Facebook, Google+ etc to make login into the site. The API has in-built methods which invoked for authentication and pulling data from the user's account(which is customizable what user data to pull). In between the javascript code you can write ajax call to your server script with user data(got from the third party server) for making the user signup or login into your system, what ever want to do.
Yes the configuration of all these are bit headache :-(
I am developing a PHP/MySQL e-commerce site with some social aspects, and am looking to integrate it with Facebook. I already have a native user registration/session handling system. I have managed to include the iframe "Social Plugins" such as a "Like" button. But I really would like to offer users the option of registering with the site via Facebook over the native registration process.
I understand the idea of getting an access token via the OAuth protocol, and eventually getting a user ID. My concerns are two-fold:
Is this method secure? This is an e-commerce site, but I am not storing any credit cards or any other sensitive data. I can't think of how this could be exploited, but I am only one head!
I understand how to retrieve the initial token and get the user ID during the registration process. But how do I recognize a return (session) user? Do I have to implement the Javascript SDK for that (something I want to avoid)? Or, do I handle the sessions just like they already are handled natively, but replace a normal user ID in the session cookie with a Facebook user ID when appropriate?
I apologize if the answers are obvious. I have scoured Google and the Facebook documentation, but half the links I find are to deprecated FBConnect wiki articles, and the new docs are helpful, but sparse on the examples. I have no idea what is still supported, what is new, and how to do this!
Yes Oauth is very secure. Many many applications rely on it and there are no known ways to exploit it.
One way you could do this is store the Facebook id's of users so when they come back you can see that their id already exists in your records and know it is a returning user. Their session may be different (expired since last visit for example) so you don't want to store their access token; but their Facebook user id is always be the same.
How I basically integrated Facebook registration/login on my site is I added a facebook_id column in my users table and a "Register with Facebook" button. If the user clicks, authenticates with Facebook and I get back a session and the user is new, I redirect to the registration page, prefill as many fields as I can with data from Facebook (like their name), and add the Facebook id as a hidden input field. Therefore when they register, their facebook_id will be filled in the database. This is the same registration page as the standard one, so the only difference with a non-Facebook user is that the facebook_id field will be empty. If you want, you can also not require a password for Facebook users.
For the user to log in, the user would just click a "Login with Facebook" button and authenticate with Facebook. Once Facebook gives me the session, I log the user in as whatever user has the facebook_id as the one in Facebook's session. Since you are worried about security, I'll note that this session cannot be forged as it is signed with the application secret key that only you and Facebook know. If you use Facebook's SDK (which you should) you do not have to worry about the signing and signature verification. The fact that you can read coherent information from the session means that Facebook's SDK has verified it.
This Facebook page is a great guide on integrating registration with Facebook.