I am using Facebook php-sdk in my iframe facebook app to get user login status.
Right after I sign out using facebook Account > Log out link, the session is not destroyed yet. I must wait a few minutes before old session expires, then my app will again get the correct login status.
I expect the facebook to kill itself and the session when user signs out. How do I manually kill the session?
Here is my code:
$initParams = array(
'appId' => $conf['app_id'],
'secret' => $conf['secret_api_key'],
'cookie' => TRUE,
);
$fb = new Facebook($initParams);
$fb->getSession(); // will return a session object eventhough user signed out!
SOLVED:
calling $fb->api('/me') will destroy the session if user has previously logged out.
I've changed my code as following:
if ($session)
{
try
{
$fbuid = $fb->getUser();
$me = $fb->api('/me');
}
catch(FacebookApiException $e){}
}
If the API call is unsuccessful, $session will be set to NULL. Very weird behavior, I don't explain everything that is going on here but it solved my problem of having residual session object not being updated via getSession() method.
I'm using $fb->getUser() and what I did was almost identical with yours.
if ($fb->getUser())
{
try
{
$me = $fb->api('/me');
}
catch(FacebookApiException $e){
**$fb->destroySession();**
}
}
I found that using only API to check whether FB is logged out or not sometimes is inconsistent, but with destroySession(), the session will surely be destroyed.
if you are using the javascript FB.INIT calls on the login page, then set status to false from true.
details about the status attribute :
http://developers.facebook.com/docs/reference/javascript/FB.init/
Try finding the formatData function somewhere at LoginWindow (AS3) and find this line:
vars.redirect_uri = FacebookURLDefaults.LOGIN_SUCCESS_URL
Change the value for http://www.facebook.com/ and logout from that html page when logged in.
This is a temporary solution to logout if you are developer, not the end user.
Facebook should disassociate the session from the account that the session belonged to. You can use Facebook::getUser() to check whether this was done:
if ($fb->getUser() === null) {
// User logged out
} else {
// User logged in
}
Try $facebook->setSession(null) or using javascript Logout
Logout does not work any way you do.
Try posting this link in your browser, after you log in to facebook.
https://www.facebook.com/logout.php
What happen? it takes you to your facebook. No logout at all.
What ever you do, check the function (depends on your API) handleLogout and check the output. In my case, it returns the entire facebook html page.
The only way I've managed to solve this problem was by clearing the session using the signed request to check the user id:
$facebook = Membership::getFacebookApp();
$signed_request = $facebook->getSignedRequest();
if(isset($_SESSION['facebook_id']) && $signed_request['user_id'] != (int)$_SESSION['facebook_id']){
$_SESSION = array();
}
Related
I am totally new to facebook api and I wanted to ask , whats the easiest and fastest way to know if a person is logged in to facebook.
One solution that I tought of is to send a javascript or php request and see if i get some status code that tells me whether the person is logged in or not (say if it returns 404, then that means he isnt logged in).
update:
I found this easy "hack":
function logged() {
alert('logged');
}
function notlogged() {
alert('not logged');
}
</script>
<script src="http://www.facebook.com/ajax/composer/attachment/question/question.php" onload="logged()" onerror="notlogged()">
But it doesnt work... however, thats the type of code that i am looking for..code that would send a request and if fails, it will throw an error
**update**
I dont want to trigger any suspicion from the user that I am checking if he is logged in. So if there is a use of app_id, then I would think that I need the users permission to use my app..that is a burden cause I will have to take another authentication step.
I cant have the user know that he is being authenticated in any way regarding facebook
If I am reading your code correctly, only if no session is returned do you do the redirect? According to comments in Facebook's example: http://github.com/facebook/php-sdk/blob/master/examples/example.php (great place to this info huh?), even if you get a session back, you can't assume it's still valid. Only trying an API call that requires a logged in user will you know for sure. This is the best way I've seen to reliably determine login/logout status.
if ($session) {
try {
$me = $facebook->api('/me');
if ($me) {
//User is logged in
}
} catch (FacebookApiException $e) {
//User is not logged in
}
}
try This, Hope this will help
include 'facebook.php';
$facebook = new Facebook(array(
'appId' => $app_id, // your application id
'secret' => $app_secret, // your application secret
'cookie' => false,
));
$user = $facebook->getUser();
$loginUrl = $facebook->getLoginUrl(
array(
'scope' => '// put your permission'
)
);
if ($user) {
try {
// Proceed knowing you have a logged in user who's authenticated.
$permissions = $facebook->api('/me/permissions');
} catch (FacebookApiException $e) {
$user = null;
}
}
if (!$user) {
echo "<script type='text/javascript'>top.location.href = '$loginUrl';</script>";
}
If you have a facebook "tab" then limited user information is provided to you as part of the signed_request. And for a facebook tab, you need to create an app.
Otherwise, without an App ID and alerting the user YOU CANNOT DO IT.
There have been hacks in the past, some of the cleverer ones have been to put up comment boxes and measure the hieght of the containing DIV (they used to be larger if logged in) or to include the facebooks FBML tabs to show a log in button (log in was wider) but theses were all stamped out as they were discovered. The same probably goes for the link you tried in your question.
Facebook, for all the debate on rpivacy, won't knowlingly leak information - until you get an app id, ask the user then you can get nearly everything...
Check this topic: https://stackoverflow.com/a/10698594/1789650
This should answer your question. You have to load the javascript SDK to get it to work correctly.
The question is the same as title. I'm using the latest php-sdk (v3.1.1) to operate server-side authentication flow.
I have 2 tabs in Chrome, one is my Facebook page and the other is php test page. These 2 problems happen many times:
$facebook->getUser() still returns 0 even when I logged in.
$facebook->getUser() still returns an ID even when I logged out.
I have to do a work-around of this: try initiating a graph API request with provided access_token, and check if $response->error->type == "OAuthException" to ensure there's an active session or not.
Is there any way to use $facebook->getUser() "stably"? I've searched a lot through SO but not found best answer for php-sdk 3.1.1 yet.
Highly appreciate any helps. Thanks.
Login.
As per documentation example of FB SDK, getUser() returns userId even when you're logged out, but have cookies associated with FB account.
To detect is user logged in you should use
$user = $facebook->getUser();
//Check Access token
if ($user) {
try {
$user_profile = $facebook->api('/me');
} catch (FacebookApiException $e) {
$user = null;
}
}
if ($user) {
//logged-in
} else {
//not logged-in
}
To login in your app make user logs in in your app, not on neighbouring tab, by following this url (make sure that you're passing the scope based on intended actions performed by your app):
$loginUrl = $facebook->getLoginUrl(
'scope' => ...
);
Logout. Seems that your PHP server is storing some values of access tokens per session, so even when you're logged out in your browser, your server still have these tokens valid. Actually, I don't know, is it bug or feature, but they're not destroyed by Facebook after user logout.
To destroy these tokens I'm using these:
$facebook->destroySession();
I'm calling it every time when user logs-out by $facebook->getLogoutUrl();
How do I check if the user is really loggedin? $facebook->getUser() still returns an ID after logout. Do I need to do something like $facebook->api('/me') just to check if the user is "really" logged in?
Well, FB PHP SDK in my opinion is quite tricky because it relies on a cookie sent from Facebook when you are logging into the Facebook. This cookie is not deleted whilst logging out. Because of that in below code the variable $uid could store a proper user facebook id:
$uid = $facebook->getUser();
So, as far as I know, call $facebook->api('/me'); will tell the truth whether the user is logged in or not.
try {
$facebook->api('/me');
/* user is really logged into FB */
} catch (Exception $e) {
/* user is not currently logged into the FB */
}
I use above code in my production application and it works well.
getLoginStatusUrl should do the trick.
I think that if you ask for offline_perms than you have access to user_id and so on. I don't know if you did, but most likely that should be the problem
Have you tried the method detailed in the Facebook PHP SDK Documentation?
$params = array(
'ok_session' => 'https://www.myapp.com/',
'no_user' => 'https://www.myapp.com/no_user',
'no_session' => 'https://www.myapp.com/no_session',
);
$next_url = $facebook->getLoginStatusUrl($params);
Returns a URL based on the user’s login status on Facebook. You can
get a different URL depending on whether the user is logged in, not
connected, or logged out of Facebook.
Is there a way to use the facebook connect api in a static way?
When we use the facebook php sdk the link or button to login to facebook is something like https://www.facebook.com/dialog/oauth..................
what I want is to eliminate the include of the php sdk on every page, because it will cause some extra processing and server load in peak times.
I want to make a session check to know if the user is logged in, by checking for exemple if his facebook user id and name are stored in the session, then if not, display a static login button. then after login with facebook he gets to facebook-login.php which will include the facebook php sdk and process his data and store them in the session, so that he remains logged without including the php sdk in each page.
the url structure that I get with $facebook->getLoginUrl() is:
https://www.facebook.com/dialog/oauth?client_id={MY_APP_KEY}&scope={PERMISSIONS}&redirect_uri={MY_SITE/facebook-login.php}&state={A_32_CHAR_CODE_LIKE_MD5_MAYBE}
The final question is: WHAT WOULD BE THE URL IN THE LOGIN BUTTON?
just load the sdk and do something like:
echo 'Connect to Facebook';
that url will always be valid for a logged out user
This is a good question. First, a user is logged into you app means that you have a valid access token for the user.
And there is no way to be sure that an access token is valid before making an API call with this access token. So if you want to make sure the user is still logged in on each page, you have to make an API call to Facebook on each of them. Kind of heavy, but there is no other solution.
What you can do is assume that the access token you have is valid and check only once a while (when you really need to be sure the user is logged in).
You can have different scenario :
you have no Facebook data about the user : the user is not logged in your app for sure.
you can read the user ID, but you may not have an access token for this user : the user may not be logged in.
you can read an access token, but it may not be valid (has expires or revoked by the user) : the user may not be logged in.
you have a valid access token : the user is logged in for sure.
You can read the user ID and the access token in the session. The session array looks like that :
[fb_148195765253871_access_token] => 14819576525...
[fb_148195765253871_user_id] => 1536397056
The number in the keys of the array (here 148195765253871) is your app ID.
So what you can do on each page is to check if those keys are set and if they are not, load the SDK and double-check (because the access can be store in some other places that the SDK is reading) :
if (isset($_SESSION['fb' . YOUR_APP_ID . 'access_token'])) {
// assume to user is logged in
// and keep going
} else {
require "facebook.php";
$facebook = new Facebook(array(
'appId' => YOUR_APP_ID,
'secret' => YOUR_APP_SECRET,
));
// Make an API call to be sure the user is logged in
// ie : that you have a valid access token
$user = $facebook->getUser(); // User ID
if ($user) {
try {
$user_profile = $facebook->api('/me');
} catch (FacebookApiException $e) {
$user = null;
}
}
if ($user) {
// The user is logged in for sure
} else {
// The user is not logged in for sure
// Make him log in
echo 'Login with Facebook';
}
}
Hope that helps !
The selected answer does not really answer the question.
If you would like to isolate all the Facebook code necessary for generating the getLoginUrl function call into a separate file you can do this easily by using meta refresh.
So in your header point the link "Login With Facebook" to "facebook_login.php". On this page include the necessary calls from the SDK for getLoginUrl and than add the following line of HTML.
<meta http-equiv="refresh" content="0;URL=<?=$helper->getLoginUrl(array('email', 'user_friends'));?>">
I tested this out multiple times and it works.
FYI using Facebook SDK 4.0.
I am using a modified version php-sdk version 3.0.0 sample code at github.com/facebook within the CodeIgniter framework as a helper.
My problem is just as the title says: When I click the logout anchor (provided by $Facebook->getLogoutUrl()) I am redirected back to the same page and receive an OAuthException:
Fatal error: Uncaught OAuthException: Error validating access token: The session is invalid because the user logged out. thrown in [...]/base_facebook.php on line 959
When I refresh, it loads the "login" anchor like it normally would. What is happening on that refresh/post-back that isn't happening on that initial redirect?
I realize this is limited information but due to the problem I think it may be a simple fix.
EDIT: This post seems to be relevant: http://forum.developers.facebook.net/viewtopic.php?id=71219
Specifically this line:
setcookie('fbs_'.$facebook->getAppId(), '', time()-100, '/', '.domain.com');
However, I am not sure how to implement this and still use $facebook->getLogoutUrl();.
Thanks in advance and just let me know if more information is necessary.
I was having the same problem and nearly pulling my hair out. However, after some research, it appears the problem is an offending cookie. This line on logout should fix it:
setcookie('fbs_'.$facebook->getAppId(), '', time()-100, '/', '.domain.com');
Ensure to add the '.' before the domain name if subdomains are being used.
I hope this helps!
As suggested, I tried:
setcookie('fbs_'.$facebook->getAppId(), '', time()-100, '/', '.domain.com');
This didn't work. What I did, was to just copy from the fb example code:
// Get User ID
$user = $facebook->getUser();
// We may or may not have this data based on whether the user is logged in.
//
// If we have a $user id here, it means we know the user is logged into
// Facebook, but we don't know if the access token is valid. An access
// token is invalid if the user logged out of Facebook.
if ($user) {
try {
// Proceed knowing you have a logged in user who's authenticated.
$user_profile = $facebook->api('/me');
} catch (FacebookApiException $e) {
error_log($e);
$user = null;
}
}
// Login or logout url will be needed depending on current user state.
if ($user) {
$logoutUrl = $facebook->getLogoutUrl();
} else {
$loginUrl = $facebook->getLoginUrl();
}
The middle part, with if try get user_profile, is a test to get the user profile, and if it fails the userid will be unset. This will make the last part with getLoginUrl() and getLogoutUrl() correct.
I do believe setting the cookie is more correct, than to try a request and see if it fails... but since the setcookie didn't work, I didn't have a choice :(
Stupid facebook that returns a token with this $user = $facebook->getUser();, when the user actually is logged out.
Hope this helps those who is in need.
From the looks of your error it would appear your website is still trying to connect to Facebook using the SDK. When you run the logout function provided by Facebook make sure to clear whatever sessions or storage you have that triggers calls to Facebook.
It's likely that they aren't being cleared before you attempt your Facebook logout, and this is why it still thinks you have a connection but then works fine on refresh.
What I ended up doing was this:
$facebook->getLogoutUrl(array('next' => site_url('logout')));
Then in the 'logout' controller:
$_SESSION = array();
$this->load->view('myoriginalview');
On logout, the facebook logout url's query string redirect_uri value is set to redirect to the 'logout' controller which then clears the session and loads the view on which the logout button existed in the first place. Everything functions fine. Now I just have to figure out how to handle an expired session as opposed to a logged out user -_-
EDIT:
What I've done now is invalidate the cookie in the proper manner as described on the facebook developers forum. I really wish their documentation was better and described this for their PHP SDK.