I've found several questions that are sort of similar to mine, but not 100%.
I've got a site which has normal user accounts. You have the option of using FB auth as well. The problem is often when the user visits the page (sometimes even after a few hours) even though the users account cookie is still valid, their facebook session is not.
So the user appears to be logged in, (the webpage says "Hi, [user]") but I have no facebook session, and any facebook API call will fail until they re-click "login with facebook". -- This is all despite the fact that I'm still logged in to facebook.
Now, I did a similar implementation about 11-9 months ago, and the facebook session rarely ever expired. Now it seems to happen every few hours. Oddly, other websites which use facebook auth don't seem to be suffering from this problem.
Any idea what I can do to keep the facebook session alive for as long as possible?
Thanks,
Nick
Most people combine the php-sdk with the js-sdk. This looks for auth events and will usually trigger a reload of the page signing the user back in to facebook
There's some sample code on the developer site, just above the following anchor
https://developers.facebook.com/docs/guides/web/#insights
Related
I'm working on a facebook app using php sdk. I have one small problem with my app, after the user has logged into my app, if the user logs out of facebook from a new browser tab,after which any action on my app should be redirect back to login page saying user has logged out. but in my case my app is still working, even though he was logged out .so can anyone help me on this.
Note: I'm not using any logout URL in my app page. I can directly destroy the session by calling $facebook->destroySession(), but I don't know how do I conditional do it,since I can't know when the user logs out of facebook(opening in new browser tab)
If I logout from Facebook, while my app is running in an iframe, in another tab, I get a modal dialog "Login to Continue" served from Facebook. (using chrome)
If the same App is running outside Facebook (no iframe) in another tab, and I logout from Facebook, my App detects that the Facebook session is ended.
That's because I check on every page load if there is a valid Facebook user ;-)
My guess is that you don't check on every page load if the user is logged in.....
(or you have a funny browser that does not share cookies between tabs or something)
I have the exact same problem. I could not found a way to detect if the user is logged in using the PHP SDK. However, when I combine the JS SDK, it can detect the session and set's the cookie correctly. Then I pick the cookie/session using the PHP SDK.
Be careful if you use my solution. Using the combined JS and PHP SDK, the AccessToken seems to lose it's persistence. the problem I have is getting the following error:
OAuthException: An active access token must be used to query information about the current user.
After reading, I discovered that this was a but that got fixed on pull 48 of the SDK:
https://github.com/facebook/facebook-php-sdk/pull/48
That partially helped but now I get this error:
OAuthException: Error validating access token: Session has expired at unix time
Summary: The combo SDK seems to work for solving your problems but the API obviously behaves buggy. I'm continuing my research and will post when I get resolutions.
Looking forward to hear what others have done to solve this matter
This is my first question here, so apologies if asking something trivial - though I didn't find an answer after an hour of digging.
I have a PHP website which needs to connect with a Facebook page in the following method:
On certain triggers, the site needs to post to the page's wall as the page itself. This has to be done automatically, even if no user session is available (e.g. if someone uses the site without actually having a Facebook account).
I found solutions using extended token expiration times (offline access), but in those cases, the post will always appear as the site admin (me, in this case). However, I need the post to be written by the page. When using Facebook as the page, I have no right to request an offline access token.
Is this even possible at the moment?
You need to cache the page access token on your server and use that to make the updates - the page login is pretty well documented here: https://developers.facebook.com/docs/authentication/pages/ -
Store the access_token in your server-side code and use that token to post as the page - the page access token won't expire if you have a long-expiry access token for the page admin, unless the user stops being an admin of the page, removes the app, etc.
First of all, I'm sorry for yet another "offline_access" question, but I blame Facebook for being so vague about this. I've been reading so much (here and the official Facebook deprecation "docs") about it and the more I read, the more questions I have.
Our application uses the Facebook API to publish stories from users to their timeline. This is being done from our servers using PHP via curl.
My understanding is that accesstokens cannot be valid for more than 60 days. Does this mean that our users have to come back to our site to re-authorize everytime their token has become invalid? If so, how would services like Foursquare (who have a similar integration as we have) handle this?
Or is it possible to simply request a new token when the Facebook-API replies with a "This token has expired" message?
I think this is covered in the migration document as scenario 3 or 4 depending on your auth flow
Yes, your users need to come back at least once every 60 days in order for you to have a valid token to take actions on that user's behalf
Of course they have to come back – that’s the whole point of removing offline_access, that apps can’t go on acting forever on behalf of users who maybe don’t even notice it any more.
Or is it possible to simply request a new token when the Facebook-API replies with a "This token has expired" message?
Not without user interaction. But as far as I understand it, it should be enough to call for example FB.login via the JS SDK when the user is on your page, which will display the popup and immediately close it again if the user is logged in to FB and has still authorized your app, to get a new short-lived access_token, which you can then exchange for a long-lived one.
My goal is to use Facebook Login on a website with as few api calls as possible. I don't want to use any server-sided facebook api call on sites that don't interact with facebook at all. That means I only want to use api calls for logging in and publishing things. However I don't want to use Facebooks offline_access permission flag.
Here are some thoughts:
Use own sessions for the site instead of relying on Facebook sessions. So a user stays logged in even if the Facebook session token is expired. Otherwise the user will be logged out as soon as the token is expired and needs to click login again to get a new token or Facebooks JS SDK will auto-login but this still isn't perfect because the user will see the page in "logged-out state" and it will refresh as soon as the JS SDK got a new token. No-JS users have to click the Login button again.
Cache Facebook user data in database or memcache. Use Facebook API Subscription to keep the database updated. -> No need to ask the API for changes in the user's Facebook profile.
Problem:
While using own sessions the Facebook session token might be expired when trying to publish sth. on Facebook. So you have to abort the current script and get a new token by redirecting the user to Facebook or using the JS SDK. Then continue the script. This is pain.
My thought on how to solve the problem:
Instead of publishing things on Facebook using PHP you can also do this in Javascript. If the token is expired just get a new one using JS which does not require the page to be reloaded nor the page to be redirected to Facebook. However I want to support users with disabled Javascript and then this is not possible.
In my opinion the only useful approach is to use own sessions with cached user data and keep the people logged in even if the Facebook token is expired. But redirect them to Facebook and back as soon as Facebook interaction is required. This way the user won't see the page in "logged-out state", no Javascript is required and the user will be only redirected to Facebook Login if it's really needed. For Javascript users the Facebook JS SDK will renew the token (which is then stored in a cookie) without the user noticing this as the user is still logged in (using the own session handling).
What do you think? Is there another (better?) approach to do this? My last point quite seems doable but isn't there an easier way? Thanks.
I had this exact same issue when creating an authentication system for my website. Like Elad Lachmi said, you can run FB.login on each page load - but this will cause a quick popup flash (gets very annoying).
My solution actually ended up requiring me to use offline_access. It seems that there is just no other appropriate way to keep the user logged in if they leave your site for a couple of hours.
Here's the (potential) catch:
Log the user in via Facebook without offline access
On each page, use jQuery to write an iframe to a specially formed URL which uses FB.getLoginStatus, and set it to refresh every 15 minutes
This combination should, every 15 minutes, fetch the most up-to-date user session ID from Facebook. It will cause it to be updated when it is close to expiration.
Please note that I haven't tried this, and it may be against the Facebook ToS. But it is really the only solution without using offline_access if you want to keep a user logged in for more than 2 hours without requiring them to refresh a page.
I have a facebook application in my website. When someone is already logged in to my website, I have the offline_access of his facebook account, but when I put a like button, it always asks for login to facebook again.
Everything else works, like printing the posts, photos, etc. But the simple action of liking something, doesn't. How can I make it work using the php-sdk api?
I'm presuming that you have just used the like button code from here. What's happening when they click that button it's not going THROUGH your website but rather taking a bit with it to facebook. So it takes your URL to facebook and they do the whole posting bit... therefore if the client is not logged into facebook it'll ask them to login.
What you can do is use a curl posting script through your website and that should post whether they are logged into the facebook main site or not provided they logged in with the offline_access.
Please tell me if you need more information or if I have mis-interpreted what you meant.
Regards,
Jon
I guess you are misunderstanding the behavior of the offline_access permission:
Enables your application to perform
authorized requests on behalf of the
user at any time. By default, most
access tokens expire after a short
time period to ensure applications
only make requests on behalf of the
user when the are actively using the
application. This permission makes the
access token returned by our OAuth
endpoint long-lived.
This would mean, even if the user is logged off, your application will still have access to it's account BUT this DOES NOT mean that you can capture/monitor if the user is back on your website again until he is logged to his FB account again.
So offline_access will never know if the same user is currently on the page and "automatically" log him to his FB account!