Talk:Authentication guide

From Facebook Developers Wiki

Jump to: navigation, search

I've done some work implementing my own Java based client for working with Facebook, and I've found the following: 

* The "auth.createToken" method doesn't appear to be needed unless for a desktop application (where it gets appended to the login url)
* The "auth.getSession" method is not required for when redirecting back to a canvas page

From my trial and errors I've found that in order to login, the following is possible: 

* Application determines that there is no "session key" (for however it may store it)
* Application redirects to login page with appropriate parameters
* If login page redirects to a canvas page, then a session key is provided via the parameter "fb_sig_session_key" (and no call to auth.getSession is required)
* If the login page does not redirect to a canvas page, then an auth token is provided to the callback URL via the parameter "auth_token", and the auth.getSession method is required

If this correct, I recommend some changes to the Authentication Guide to make these a little more clear. If, in the more likely case, I have missed something, I would really appreciate some feedback. Thanks!

The sig example is very confusing because it reuses "argument1" and "argument2" as both variable names and values. Could someone change this example to one that uses a real function and some example arguments?

[edit] Logging in to and logging out of external web applications

I wanted to do the following:

  1. A user clicks a link in my website.
  2. The user logs in to my app in facebook (or to facebook first).
  3. The user is redirected to my website to do something related to facebook.
  4. The user submits his action and logs out from the facebook app.
  • If the user clicks the link again - he will have to login again.

Here's what works for me - I can't explain why - but I found no other way of logging out a user:

  • Before showing the page I call login_facebook_user();
  • After processing the action I call logout_facebook_user(); 
/**
 * Call login_facebook_user() to initialize the facebook API with $fb_userid
 */
function login_facebook_user() {
	global $facebook, $fb_userid;
	if(!isset($_SESSION['skipcookie'])) {
	    $_SESSION['skipcookie'] = true;
	    $facebook->redirect($facebook->get_login_url($_SERVER['REQUEST_URI'], $facebook->in_frame()).'&skipcookie=1');
	}
	$fb_userid = $facebook_imp->require_login();
}

/**
 * Call logout_facebook_user() before redirecting to another page that doesn't require facebook functionality.
 */
function logout_facebook_user() {
	unset($_SESSION['skipcookie']);
	setcookie($GLOBALS['api_key'], "", time()-3600);
}

I'm not sure this is the ideal code - but it worked for me.

Retrieved from "http://wiki.developers.facebook.com/index.php/Talk:Authentication_guide"