User Login FAQ
From Facebook Developer Wiki
You've asked questions about how the new application authorization paradigm works. We hope this FAQ clarifies any confusion you might have.
Q: Do I need to have a user authorize my application?
A: Not necessarily, and not immediately after the user first interacts with your application.
When a user visits your canvas page, you don't need to redirect the user to login.php. A user can begin interacting with your application immediately, making for a frictionless experience.
Q: Why shouldn't I require a user to log in and authorize my application before interacting with it?
A: For two reasons. First, when we switched to publishing metrics based on monthly active users, we also changed the code so that a user doesn't have to authorize your application before being considered an active user. Similarly, if the user interacts with your application profile box (and soon, tab or Publisher) on a friend's profile, that user is counted as an active user.
Also, as we mentioned recently, when a user who hasn't authorized your application visits your application's canvas page, we'll send you the user's UID and friend UIDs, and you can use the IDs to get those users' public search listing data (except for any users who have chosen to not display a public search listing). You can present Feed and request forms to these users.
Q: OK, so why should I require a user to authorize my application?
A: If your application needs to access more user data, or you need to send the user notifications, for example, you can prompt the user to authorize your application. To do this, include the requirelogin attribute in links to your application, as in <a href="http://apps.facebook.com/mysmiley" requirelogin=1> Welcome to my app</a>. This pops up a lightweight Ajax dialog, providing the user with a more seamless experience.
Q: What happens when a user authorizes my application?
A: Once the user authorizes the application, you can start sending application-to-user notifications and publishing one line News Feed stories automatically.
Q: Do I need to keep calling a login dialog, like if the user logs out of Facebook?
A: The user needs to authorize your application only once.
Q: How can I tell if a user has authorized my application?
A: When the user authorizes your application, we'll ping your post-authorization URL (which you specify in your application's settings). In addition, you can call users.isAppUser to get your answer.
Q: What if I want to redirect the user after the user authorizes my application?
A: If you need to take the user to a special page after the user authorizes your application, you need to have the user authorize your application from login.php (that is, call require_login), then you need to specify a post-authorization redirect URL in your application's settings. This is a heavier way to authorize your users, and you should consider using the lighter weight Ajax dialog as mentioned above.
Q: I thought Facebook is deprecating add.php. Why does the post-add URL still exist in my application's settings?
A: The post-add URL still appears in the Developer application as it's needed for redirecting a user after an application has been installed onto a Page (and for those users who haven't opted into the new profile yet). This is needed for backwards compatibility.
Q: Can I still get notified if a user removes my application?
A: Yes, if you specify a post-remove URL in your application's settings. Facebook pings this URL when a user removes your application.
Q: How can I tell whether a user is on the new profile or the old one?
A: Facebook passes an fb_sig_in_new_facebook parameter now. This parameter is set to true when the request comes from apps.new.facebook.com. If your application gets this parameter, and it is set to true, then you know the request came from a user on the new Facebook profile.
Q: How do session keys fit into this structure?
A: Applications no longer receive an infinite session key when a user authorizes your application. Instead, you'll get a temporary session key that lasts an hour or until the user logs out of Facebook. Once you get a session key, you can start sending user-to-user notifications, publish short and full News Feed stories (with user approval), and access more profile data.
Q: What happens to the infinite session if a user installed my application on the old profile, then switched to the new profile?
A: The user continues to have an infinite session -- even on the new profile -- until the time when we deprecate infinite sessions, in which case Facebook starts sending temporary sessions. We'll send a temporary session key for any user who starts interacting with your application for the first time on the new profile.
Q: How can I get something like an infinite session from a user?
A: Each time a user who has authorized your application interacts with it, Facebook sends you a session key. If necessary, you can prompt that user for an extended permission to grant offline access to your application.
Q: I thought you were deprecating infinite sessions?
A: We are deprecating infinite session keys after the new profile launches to all users August 27, 2008. However, if a user previously granted an "infinite session" (by checking the Keep me logged in check box on the original application add page), then that user will be considered to have granted your application offline access (what used to be an infinite session) and your sessions will continue to act as they did on the old profile.
Q: I've heard that some API calls no longer require a session key. Which ones are they?
A: To make it easier on our developers, many API calls no longer require session keys.
