Infinite session keys

From Facebook Developers Wiki

Jump to: navigation, search

EDIT : This functionality seems to be deprecated, and in violation of Facebook's Platform_Policy -- someone please confirm???? --122612301 12:55, 13 February 2008 (PST)

The question is often asked "How do I get an infinite session for my users?"

(If you're not creating apps for embedding in the Facebook website, this page may not be for you)

There is much confusion about how infinite sessions work (and there is talk now that they may go away: they're rather pointless) so here is the big news: You only need ONE for the most popular uses, so use your own. You generate it by selecting to 'stay logged in' when you install your app. There is no page to go to to generate a key. Nobody has to pass any such key to you.

Every time a user visits your App page, your server gets sent their current session in the POST variable fb_sig_session_key, so go to your own app page and grab the session key from your server-side app. You can tell when a session is infinite: The POST variable fb_sig_expires will be '0'.

Now that you have an infinite session key, you can call anything that needs one. Just remember to provide the uid on any methods you call, so that the system knows which user you want to work with. Yes, you are hard-coding an infinite session ID that you've scraped from your development work. This is what you are supposed to do.

Begin UPDATE: Jan 10, 2008

The information above does not show a true understanding of the Facebook API, and thus this wiki page is causing confusion. There are a handful of API calls that take a UID(s) as a parameter. For these few calls, the above information is correct. However, if you want to make a call to Friends.get(), which takes no uid in as a parameter, then the above example fails. In this case, the api is assuming that you want the information for the 'current user'. Who is the 'current user'? Why this is determined from the 'session_key parameter'. And that's why there is so much confusion, and why the plan above should not be followed if you ever want to use these api calls. I've included some text from the Friends.get doc's to make it clear:

Friends.get "Returns the identifiers of the current user's Facebook friends. The current user is determined from the session_key parameter." http://wiki.developers.facebook.com/index.php/Friends.get

So, if you have an app with 10 users. And you want to call Friends.get() for each user, then you will need to have stored an infinite session_key for each app user.

(I'm new to editing wiki's, so my apologies if this isn't the correct protocol for making a change to this page. Thanks, Ed)

End UPDATE: Jan 10, 2008

Contents

[edit] Example

setFBML() lets you directly insert FBML into the profile widget. You need a session key to do this, but it doesn't have to be the session key of the user whose page you wish to update. Your own key will do. UPDATE: setFBML() has recently undergone updates.. these examples are out of date, check the API page for more information.

PHP: 

$facebook->api_client->setFBML( $markup, $uid );

Perl: 

$facebook->profile->set_fbml( markup => $markup, uid => $uid );

Python: 

facebook.profile.setFBML( markup, facebook.uid )

[edit] Infinite Session Keys for Desktop Apps

For desktop apps, you must save both the session key and the "secret" that Facebook returns from the getSession() call.

For example, with Python: 

facebook = Facebook(API_KEY, SECRET_KEY)
facebook.session_key = 'Your Infinite Session Key'
facebook.secret = 'The Infinite Secret Key'
... any Facebook API calls here ...

[edit] Third Party Guides to session keys

http://www.inter-sections.net/2007/10/22/the-low-down-on-facebook-sessions/ - A clear starter guide if this page confused you. http://20bits.com/2007/06/19/5-facebook-application-gotchas/ - See point 3. VERY useful authentication and session check.

[edit] Notes

  • Session keys are pointless for apps: you have the app key and secret. You're signing every request. A session doesn't give you any further protection.
  • You still need the session key of a user if you want to write to their feed (facebook.feed.publishActionOfUser or facebook.feed.publishStoryToUser) so if you want to do that, it's worth grabbing the session_key each time a user goes to the app page (IE, your server gets a request).
  • If you are going to use feed.publishActionOfUser or feed.publishStoryToUser when the targeted user is not on your canvas pages (when the POST session_key is not available) then I suggest storing a session_key and whether it is infinite for each user of your app (when they visit your add page) in a database. You can then use facebook.users.isAppAdded to check if they are still a user. If yes you can then send to their news and mini feeds using the session_key even in their absence.
  • As it works now, users can only send notifications to friends, so if an app allows non-friends to interact with each other, the only way to send a notification about this activity is to store the sessions of all users, instantiate the facebook object with the recipient's session, and send notifications from users to themselves.

Can someone please elaborate on storing the infinite session key for each user and using it to update the mini-feed and for notifications? -- see third party guide above. 'Bold text'

Retrieved from "http://wiki.developers.facebook.com/index.php/Infinite_session_keys"