I've been following the guide here: https://developers.facebook.com/docs/authentication/
Once I have the server-side flow section working and have access to the accounts information is the idea to then store that information in my database and create a session for the user? That way they can log in and out of my site?
If not, how does my site access the user's information and log the user out when needed?
Thanks!
i check if the user is already saved in the DB, if not i create the users account and then save the info in the session (login the user on my site).
I prefer to use the php SDK provided, because it's easier to call the fb api, and i mix it with the Javascript SDK, to show the login buttons and pop-up... also for the like buttons
Good Luck
Related
I am doing a login with facebook on my website.
Unlike most logins I see....my users may already be signed up and later want to connect to their facebook. If they jump the gun and click 'login with facebook' when they already have an account on the website, they may end up creating a new account...which we don't want.
Instead, I have it set up so they login with facebook...and upon returning, check to see if the fbID or the fb email exists in the current db. If not...then present them with a login screen to login normally. At that time they will connect the two accounts. I have been researching for this quite some time and I am very surprised I don't see this method posted everywhere on the web. Seems logical to me.
To be clear, I use the FB JS SDK, to do the login with facebook popup. Then after the redirect, I use the FB PHP SDK to obtain the fb user ID and the users info from facebook.
Ok...so...one issue I have been having, is that after logging in with facebook...and then getting redirected back to a normal login screen, the facebook authentication is GONE when submitting normally. In order to finish connecting the two accounts in a secure manner, I would like to authenticate the user a second time before updating the database with their facebook ID.
In an effort to do this....I have decided to obtain the fb access_token with the first login, and then populate the normal login with the access_token. Then upon submitting normally, I can use the access_token to gain the user info with the php sdk and store the fb ID in my db.
However, is this safe? Passing the access_token in a form? Also...I noticed there was a way to obtain the "code" key, and use that to later obtain the access_token and the user_info. However, I am not sure how to obtain the "code" when using the fb JS sdk login.
Any thoughts on this would be greatly appreciated. I hope I was clear.
Thanks
You should never transfer the access_token between client and server. When somebody gets hold if it, they can perform actions for the user under your Apps name.
I'm not sure I understand what you mean with "the facebook authentication is GONE when submitting normally".
Have you read the guides on using Authentication with the PHP SDK? You can find them here: https://developers.facebook.com/docs/php/gettingstarted/4.0.0#authentication
Using the FacebookJavaScriptLoginHelper you can easily get the information from the logged-in user, using JS, to your servers.
For the JS SDK: https://developers.facebook.com/docs/javascript/quickstart/v2.1#login
I receive my user's facebook informations from php through the api :
https://github.com/facebook/facebook-php-sdk
Is it safe enough to only save the facebook's user id in the database given in php or should i check this user identity from a token or any kind of password ?
Knowing that i can get all my user's informations in javascript and anyone can set it
Is it safe enough to loggin my facebook's user only thanks to the facebook's data return in php.
I am a bit confused with your quesion because you are using facebook's php sdk so all the user data recieved from facebook is on the server and not in the browser, so how is it possible for an intruder to update from JS? I think you have got it a bit wrong there.
In similar situations i read the data in php get all the necessary details store it in my users table along with the facebook token (mainly the email id). I didnt find much use of the token in my application but just for the sake of it i store it with this done i authenticate the user's session. For the same user logging in again i just check id already in users table and set session.
I want to update my site so that it can be linked to facebook users. I have a database and use mysql for the original login system. I now want to replace that with facebook. Thing is i want to still run my checks, i dont just want any facebook user to log in, only ones that get entered into the database. The only way users can access to my site is with a .edu address. How would i incorporate this along with the facebook plugins? Facebook has two options for the login-sytem, JAVASCRIPT or Server-side scripting. I just want to know the best practical way of doing what i want to do. Thanks
You have to do a 2-step login process then. First, validate the user's address (.edu or not), then Login with facebook. Not a good design, but both needs to be separated.
I hope following step will be helpful to you
Go for Login With Facebook
Take Extended Permission from User (email,read_stream).
Once you get Permission from user get user's facebook id using getSignedRequest() or FB.getLoginStatus.
Get user's information using graph api (i.e. https://graph.facebook.com/btaylor)
Get email id from response and check for valid user email (.edu).
If email Id is not .edu (Destroy user session and show invalid message)
I'm fairly new to facebook development, but have experience with PHP and JavaScript.
I've been reading through the SDK documentation and various articles regarding facebook integration but have found that a couple of fundamental questions are still open in my head!
I am trying to achieve the following:
Create a website that uses facebook only for registration and login
Use PHP to store facebook user id of registered users in a database on my app server, along with some limited app specific info for those users. All 'generic' info (email address, etc.) should be retreived from facebook.
when a user logs in, get a combination of database records for that user, and facebook stuff.
What I've achieved so far:
I have used the registration plugin to display a register button to unregistered users, and a login button for users who are logged out when they land on the page. I hide the login button using javascript and jquery if the user is already logged in.
I also have a page which receives a registered user and interprets the signed_request, adding the user's id to the users table in my database.
Where my confusion arises:
I want to use the Javascript SDK for user authentication (as it's really easy) - this is obviously done asynchronously on the client side.
Having said that, once a user has logged in using the JS SDK, I need to get some data from my database. I am happy to do this via an AJAX request, BUT that would require passing the facebook user id as part of that request. Surely this could be easily spoofed/changed by a savvy user & they could hence login to my application as someone else?
Question:
How do I securely pass information about a user who has logged in using the JS API to my server?
If the answer is "you can't" then why bother authenticating with the JS API? Is that just for apps that are really light touch?
Thanks in advance for any help!
The simple answer is, you use cookies. This Facebook blog post has a clear example of how to implement a client-side login and expose that data to the server.
Take a look at signed requests: https://developers.facebook.com/docs/authentication/signed_request/
It gives you a nice little primer on how signed requests work and how you can/should use them. If I understand your question correctly, this should answer your question as to why/how you can provide an extra layer of security. Send a signed request that only your application with its own app_secret can decode.
i am wondering how facebook works for logging in user on our websites.
I mean a user needs to be registered to my website for posting a comment, how can I check trough my php code if it's a logged user?
I heard you can only check if it's a logged user with javascript
Thanks for any explanation
You can use the Facebook PHP SDK to check if a user is logged in with Facebook, and optionally get information about her/him. That way you can let your users complete their registrations or use your website with some restrictions.
But you need to register a Facebook Application first, as that application will be shown when asking the user about for permissions you require.
You don't need JavaScript to do this, but Facebook makes it pretty simple to use thier JavaScript lib. You do have access to whether or not the user is logged in in php using this method.
Take a look at the single sign on section of the developers API.
If you are running a software package like Wordpress or phpBB you could google around to find a plugin that did it for you. Otherwise, ignore this ;)