I've been playing around with the Facebook PHP SDK for a site that I'd like to use Facebook's single sign in for. I've been able to login to my Facebook account from my site and successfully tested a few of the features (posting to /me, an FQL query etc.).
When generating the login URL I have set the cookie parameter to true, however I seem unable to establish a persistent session with Facebook. At the moment the Facebook login window redirects the whole website (I have not yet tested this within the webpage or a popup). The user can authorise and is returned to my site, but the session data is stored in a query string on the return URL. If this string is removed the user must reauthenticate.
Previously I have worked with the JS SDK and this has not been an issue. It's worth noting in this case that I am avoiding using the FBJS (because I believe the PHP SDK is an alternative) and FBML (because it is deprecated) - I also have not implemented a cross domain communication file as this appears to be unnecessary.
I have read about conducting the authentication within an iFrame. I'm unable to find any documentation about this though.
I have considered storing the $_GET querystring in a session on my site and appending it to the website URL, or an iFrame URL, when I need to authenticate. I'm certain that this is the incorrect way to achieve what I'd like though.
Please could someone point me in the direction of some documentation regarding this. Perhaps I am mistaken in thinking I can do this without JS, or maybe I need to manually set up the session cookie? I've searched at length but have been unable to find any documentation that describes this specifically.
Thanks for any help!
Related
Right now I'm trying to develop a simple website to demo three kinds of logins: Facebook, Google, and Twitter.
I have gotten both Facebook and Twitter to use PHP Sessions to hold user data so I can reference them on any page (such as showing their name, avatar.)
The site I'm making will only use login to store their basic profile information such as id, name, and email simply as a login feature, it is not necessary to use any higher level features.
However, I can't get Google sign-in to dump its contents into a session, Google insists on using a callback and catching the callback through Javascript functions on the page.
Google doc help for this: https://developers.google.com/+/web/signin/add-button
I'm not really familiar with this, and not sure how to reference a user's data page-to-page without writing a bunch of javascript catch functions, and javascript can't set PHP sessions. Plus, I want to make the three somewhat uniform, so whether they are signed into Twitter, Facebook, or Google, I can just write in PHP
if (isset($_SESSION['USERID']))
{show their info no matter what login because they set the same session fields}
And everything would be happy.
So I would like to know if I can just inject Google Login info into PHP sessions and how I'd go about doing that.
============
A trailing question I have is that I've been scouring help and tutorials for Oauth login for days, and have not really arrived at a better understanding of how to do Oauth in the way that I would just understand and write it. It seems way too complicated and specific to each service to write freehand. And most documentation is an ocean of oh god what are they even talking about. So if someone could trigger my understanding in dumb people words that would be great.
I worked around this problem, my problem and resources in regards to jQuery sign-in can be found here:
Google signin callback - get name and email
Reflection on PHP Versus JQuery
Although Google has an API for PHP, when I found it it looked old and deprecated, with little to no help/documentation. Since I was new to Google's specific login flow and I was intent on basic web language solutions (they are rather dedicated to javascript/jQuery) I followed their jQuery sign-in documentation.
Since all my other login options use PHP it was a bother to make so many exceptions for jQuery.
But, what you can do is leave the callback method in the header on your pages. On login, Google verifies the login info and bounces you back to page, you can sweep the user to the right page in the callback, and you can also use AJAX to inject login information into the database.
The good thing about the jQuery signin is you don't have to keep track of PHP sessions and variables. The bad part is it feels a bit ungainly and inconvenient compared to just talking to the server with PHP.
If interested, see workaround link above.
if ($gClient->getAccessToken()) {
$userProfile = $google_oauthV2->userinfo->get();
//DB Insert
$gUser = new Users();
$gUser->checkUser('google',$userProfile['id'],$userProfile['given_name'],$userProfile['family_name'],$userProfile['email'],$userProfile['gender'],$userProfile['locale'],$userProfile['link'],$userProfile['picture']);
$_SESSION['google_data'] = $userProfile; // Storing Google User Data in Session
var_dump($_SESSION['google_data']);
header("location: account.php");
$_SESSION['token'] = $gClient->getAccessToken();
} else {
$authUrl = $gClient->createAuthUrl();
}
I'm trying to implement login and registration on a page using the Facebook API for both JS and PHP SDK 4.0. The 4.0 SDK seems relatively new and have changed a lot in recent time. There aren't a lot of answers out there. The documentation also seems pretty poor.
I already have a page with standard login using php/mysql. This will just be another option of login/registration for users.
After a couple of years just reading on Stackoverflow, this is my first post. Sorry in advance if it's in some way inadequate.
This is how I figure I would like to set this up:
A Facebook-button next to the login with a JS Facebook-login dialog connected to it.
If the user authorizes: send the result with an ajax-request to a php-page
Use FacebookJavaScriptLoginHelper to set up a session.
Get a long life access-token with getLongLivedSession.
Make a request for /me. Check if the email for this account is already a user on my site.
If not already a user: Ask for a username, register the user with info from Facebook.
Connect the account by saving the internal userid and the access-token in my database
Questions so far:
Am I supposed to send the token with my AJAX-call from the client, or would this be a security risk? I could just fetch the token with the PHP SDK instead.
Should i store the token with $_SESSION? Should I even store this manually myself? If so, is there built in functionality for this in the PHP SDK? Couldn't find any.
When a user has gone through this process I want to be able to check server side directly on page load if the user has authorized my app (and is logged in on FB).
Am I supposed to acquire the access-token using $_SESSION, or is there functionality for this? Isn't there any built in functionality to do a standard check if the user is authorized already?
When doing this in PHP, should I use the FacebookRedirectLoginHelper? Seems a bit odd since I'd never want to redirect with PHP, when my login dialogs will be with JS.
Maybe I've gotten the gist of this all wrong. My main concern is if I really would have to be storing the token with $_SESSION. I've seen a lot of people doing it in tutorials, but found nothing about it in Facebooks docs.
Thank you for your detailed post. Not a lot of people put so much effort in their first post ;)
The token you refer to is automatically stored in the cookie by the JS SDK. You can instantiate a session on the PHP side in the following way:
$js_helper = new FacebookJavaScriptLoginHelper($app_id);
$session = $js_helper->getSession();
Or: https://developers.facebook.com/docs/php/FacebookJavaScriptLoginHelper/4.0.0
You don't have to store the token by yourself, since it's already stored in the cookie.
Does this make the situation more clear?
So I'm trying to get the latest tweets posted by a user using a PHP script (and caching the results into a text file). I'm using the request https://api.twitter.com/1/statuses/user_timeline.json?count=5&screen_name=google and it's been working fine as a public client, but in order to get better control over my API hit limit I need to authenticate my requests.
I've tried the method shown at https://dev.twitter.com/docs/auth/application-only-auth , but after I successfully connect I get the error "Your credentials do not allow access to this resource" (why ?). So I've tried to use the OAuth method (which looks frighteningly complicated for a hobbyist like me), and downloaded the TwitterOAuth library. But I'm still having trouble connecting ! I put my credentials in the config.php file, but I have no idea where to go from there. The documentation seems to be hinting that I need to manually login to Twitter to authorize the application's connection token... or something. Apparently I need to redirect to some callback URL (what even ?!) and get a short-term connection to enable a long-term connection password which I have to store for later ? What is this madness ?
I was initially under the impression that I could just fetch data from Twitter's RSS feeds but those can't be accessed from scripts for some reason (unlike the Google News RSS feed which fetches just fine). It seems I've gotten myself into something much more complicated than what I signed for. Isn't there an easier (and saner) way of doing this ? Or is nothing decidedly simple ?
I apologize for being such an easily-confused dullard, but my head is spinning.
Thanks !
Edit : after digging around some more I decided to just use PHP curl to fetch the raw page, and then do some Xpath voodoo to get the tweets and the time they were posted at. Of course, this is CPU-intensive, far from stable, and probably not a practice that pleases the folks at Twitter; it also only returns the last 20 tweets (which is thankfully enough for my needs).
However, Cormac Driver's response below about Temboo is certainly a method I'll be investigating next time I need to do something like that.
Temboo provides a simple way of using OAuth to authenticate with Twitter. The process is broken down into two steps:
InitializeOauth. This step returns a Twitter authorization URL that Twitter account holders can visit to grant access to your script.
FinalizeOauth. This step returns the access token that your script will need to make authenticated requests to the Twitter API on behalf of the user.
Full details on how to do this with PHP here: https://www.temboo.com/library/Library/Twitter/OAuth/
You can see an example of how Temboo handles OAuth for Facebook on this page. The PHP source code is provided, and it's almost identical to the code you'll need to do the same thing for Twitter.
(Full disclosure: I work at Temboo)
How do you retrieve the username of someone on Youtube who is using your application with PHP? I'd prefer to do this without the API but if needs be point me in the right direction because i don't know what to download , I've visited the google developers site / place already.
I found some code from 2009 but it was to retrieve usernames from a youtube video and it didn't work. I tried reading the contents of page with the fopen() and file_get_contents() but it always appears as if I'm not signed in whereas I am signed in via FireFox.
Don't know if this makes a difference but I was running this on EasyPHP via localhost
Thanks
You can't, by design. You do not have their session cookie server-side where you're using fread. Youtube determines whether you are or are not signed in based on that session cookie, and you do not have one on your server.
If you want their YouTube user name, use a client-side API in JavaScript or simply ask them for it with a text input field. It is impossible to find it server-side, as it should be. Your server has no business finding out my Youtube username without my express permission and interaction.
We have a Flash site that integrates heavily with Facebook. When users sign up we get them to allow a Facebook app that ties into the site. This is done through the AS3 Facebook API library from Adobe.
When users have done this, they should then be able to sign up, submitting some personal details and so on. The Flash sends this request to our PHP which then checks to see if the user is actually logged into Facebook, and has allowed our app.
The problem we're having is that when a user goes to do this, the PHP facebook library says that the user is not logged in. If we then refresh the page and try signing up again, everything works fine.
I'd imagine it's a cookie thing, but we're really banging our head against a wall here and can't figure out why it's not working.
Cheers,
Mark.
Are you using OAuth (good example here by chirs coenraets)
Regardless, you may need to use a flash php/js proxy (php i presume since thats what your using) to deal with any crossdomain policy issues.