On my site i gave two options for user to login FB and Twitter, I successfully got user info from both APi's, now I want to handle facebook and twitter users in my MySQL database as one user.
For example : If someone registers with his FB profile and later if same user logged in with his Twitter account .I want to identify the user then.
Can it be possible? Any how?
if the user has used the same email address for facebook and twitter accounts, then if you have used the oauth settings to have carnal access to the facebook and twitter accounts then you could pick this out and compare them, but it's terrible practice.
on your own app do you ask for additional information? could you put in a branch that if a user is entering in data that you already have then you ask them if they are the same user? possibly checked by password?
Could you supply more information if i have misunderstood?
Margaret
Twitter and Facebook accounts are not generally linked, there is no way for you to find out automatically if they belong together. Even the email address could be misleading.
But is this even necessary? I would assume that a user that decides to log into your site via Facebook will always use Facebook. When they decide to user their Twitter login instead, they will expect to have a separate account.
You could give users the ability to "link" their accounts. When they have logged in via Facebook, provide a button "Add Twitter account" and vice versa. Then you can be sure that the person owns both accounts. This could even work when a user has multiple Facebook or Twitter accounts.
It is possible, however you would need to have a facebook field and a twitter field in the user table, and you would need to provide the user with the means of associating their existing account with their twitter / facebook account (whichever they weren't already using).
Personally I would favour having a user table which requires neither facebook nor twitter, but can use both. That we, Google+ people can use your site without being offended.
Related
I've managed to have an user sign in for my website through Facebook. It works this way:
User goes to my website and chooses to sign in with Facebook
Users goes to Facebook to authorize my app
If the app is authorized, the user comes back to my website and gets registered into my database
The user remains logged in via a cookie set by my website
I store these pieces of information from Facebook: username, email and ID.
What should happen if:
User logs out from Facebook and is still logged into my website? I still have that cookie and session that lets the user remain online, so even if the user isn't logged on Facebook, my users still can benefit from my website. Is this behavior normal or should it be avoided?
An user removes my Facebook App from his authorized apps list? The user is now part of my database, but the user removed the app from his account. How should I deal with this? How can I check if the App->Website connections are still valid for that user? If an user removed the app from his account, should I also remove him from my database? If yes, again, how do I make that check?
There are quite a few other things that are puzzling me and I think I should dedicate another question to those later on.
I'm using Facebook PHP SDK for all these tasks.
P.S: I only use Facebook as an authentication method for my website, nothing more.
To answer your question here are few things we do for the facebook connect
If user choose to create an account with the FB connect, we grab the
details like firstname,lastname, email, fb_userid and then save to
our database.
If the same user when comes user has to click on the FB login button and we check in our database if the API return fb_userid is in
our database and process the login and give access to the user pages.
So ideally we never store the fb_userid in the cookie and next time if the user comes just do the autologin.
Now what if user remove the app from FB, since we do not allow auto login by cookie saved data the user must click on the login button and then re-authorized the app. Since the fb_userid is already in our db, we detect the user after giving permission and let them login.
We have one advantage in our case , i.e. our web app requires monthly subscription so user has to pay for that. So usually people who do want to continue they come to our web site and cancel the account, we then remove the user info and that way fb_userid is also removed at our end. This makes us not to worry what if user remove the app from their FB, since if someone has to cancel they will do it from our website since they are in monthly recurrent billing.
I suppose in your case its not as above point, so you can do the following without violating any terms and conditions
Do not store the session in cookie and make user login with FB button
each time they come to your website. Also make a small note on your
website next to FB login button as "what is this ?" as may be a tool
tip and mention that the website will store the users fb_userid and
this will not be shared with any 3rd party.
Also mention that in case they remove the app from their facebook the id will be still there in our database and create
a cancel account page where user can cancel the account, but that
needs the user to be logged in. Once they cancel the account remove
the FB id from your DB.
Finally I dont think any API call could be used to see if the user has removed the app for offline users, but people who have logged to your site using the FB connect different permissions could be checked as
$permissions = $facebook->api( "/me/permissions" );
If the app requires Facebook, then you need to test the cases you mention and generate appropriate error messages. Beyond that, you just provide obvious ways for your user to clean up, like a working uninstall command.
I want to update my site so that it can be linked to facebook users. I have a database and use mysql for the original login system. I now want to replace that with facebook. Thing is i want to still run my checks, i dont just want any facebook user to log in, only ones that get entered into the database. The only way users can access to my site is with a .edu address. How would i incorporate this along with the facebook plugins? Facebook has two options for the login-sytem, JAVASCRIPT or Server-side scripting. I just want to know the best practical way of doing what i want to do. Thanks
You have to do a 2-step login process then. First, validate the user's address (.edu or not), then Login with facebook. Not a good design, but both needs to be separated.
I hope following step will be helpful to you
Go for Login With Facebook
Take Extended Permission from User (email,read_stream).
Once you get Permission from user get user's facebook id using getSignedRequest() or FB.getLoginStatus.
Get user's information using graph api (i.e. https://graph.facebook.com/btaylor)
Get email id from response and check for valid user email (.edu).
If email Id is not .edu (Destroy user session and show invalid message)
We have our own registration and login system.
Many of our users are users of facebook and often forget login details to our site so it would be good if they could login to our site using their FB account.
What would be the simplest way to associate their FB account with their user record in our system.
I guess there is no way to avoid a double login for the first time? i.e. login to facebook, then login to our system so they are paired so to speak. We store their facebook id in their user record and future visits would only require a FB login.
Any opinions or suggestions very welcome.
There could be various solutions suggested for the scenario mentioned, few could be as follows:
I hope you currently have an Email field in your database, just add another field to store FB id.
Provide an interface in your application, where logged-in users can associate their facebook account with their account in your application.
For not logged-in users, you can fetch email address from FB, and do a quick look-up if the email already exists in your system, and if it exists you can update the FB id field in the DB.
If its the other way, email doesn't exists, you can add a new account into your user table.
i think OAuth Library from Philsturgeon's can help you to solve your problem check this library
OAuth
also check documentation of this here
Oauth Doc at Spark
Users details are held in database table called user where I have fields username and password among others. Now, I need to give users additional option to login using facebook and twitter.
I know how to handle these authentications but what I can't think is -
How to identify which FB user account relates to which local user account? How do I do this?
I'm not looking for code but the process. The process in my mind is somewhat as below -
User logs in using username and password of my website. then they can add FB or Twitter as external authentication and when they do it I ask them to login to FB. On successful FB login I save some unique fb id (i don't know which as haven't checked yet) in the users table. Next time they can just login using FB as I'd be able to identify which local record they belong to. Is this how you would do this?
What would you suggest? Thanks for your inputs in advance.
PS - I'll be adding multiple networks (like linkedin and others) but at the moment fb and twitter only.
One way you can do this is :
#Registration
1. Allow the user to register with Facebook, Twitter
2. Once the process has completed, redirect the user to create a username on your site
3. Using the email obtained from Facebook, Twitter, and username from local form, insert all this information into a db table.
4. This will allow referencing between FB, TW, and local usernames
create a interrelated table which will hold userid, facebook or twitter userid, authentication type (facebook or twitter).
I have a problem of thinking of how to integrate 3rd party login (also do silent register) on website where already is used regular login/register system.
Basically current login is quite regular:
As user enters website session
class determines if he need to
re-login.
When user login all kind of sessions and cookies are set and
user get access to restricted areas.
Users table in mysql has quite a lot fields also password fields.
What i wondering is how you create user entry in the same database table if it's not there and do full (silent) register for that facebook user.
Well i'm not sure what you mean by silent register, but you can simplify your regular signup process if the user is connected to Facebook.
This is what we do:
When a user comes to our website (unauthenticated - no cookie set in browser), we check to see if this user is connected to Facebook
If the user is connected to Facebook and has connected before, we "sign them in" to our website
If the user is connected to Facebook and has not connected before, we do a call to the Facebook Graph API to grab some user details (name, email, etc), redirect the user to our signup page and fill in most of the details using the Facebook info we just received.
We have a seperate database table for Facebook users - we store the Facebook Unique ID and the user's email address.
The email address is very important - this is what we use to perform a single sign on, as the user's Facebook email address should match the email address for the website.
OpenID is a safe, faster, and easier way to log in to web sites.
:D
use open id ...
there is many lib in this address http://wiki.openid.net/w/page/12995176/Libraries
each user can login with user in facebook and gmail and you must give each user id and relation models for access
I am also new to this but got some idea how to do and i would like to share it.
You can use the Javascript API provided by Facebook, Google+ etc to make login into the site. The API has in-built methods which invoked for authentication and pulling data from the user's account(which is customizable what user data to pull). In between the javascript code you can write ajax call to your server script with user data(got from the third party server) for making the user signup or login into your system, what ever want to do.
Yes the configuration of all these are bit headache :-(