Server side facebook login status
Was fiddling with the facebook API last night for something, and came across a strange gap.
There doesn’t seem to be an easy way (from the documentation) to get a server side loginstatus for the individual. This isn’t exactly an enterprise app I was building, was just checking to see if I could get something up and running quickly, when I came across this issue.
Let me describe the problem, and how I solved it, but it might not work for all.
The issue is simple – how can I tell, server-side, if someone is logged into facebook or not.
There are two flavors of logged into facebook
- logged in, but not known to my application
- logged in, and have authorized my application to do X,Y & Z
Scenario 1 is even more perplexing, but I’ll get to that in a second.
In scenario 2 – if you already have the users auth_token, then, with every call that you want to protect non logged in users from making, you can ask for some non-public information from the facebook Graph API. When facebook denies you that access, the user has gone offline, and you should log them off.
However, let me add in a twist, what if you have asked for offline access. In that scenario, facebook doesn’t expire the auth_token, and my proposed solution above doesn’t work.
What’s more perplexing about this is that there used to be a solution for this in the Facebook_Connect (now deprecated) API.
There was https://facebook.com/restserver.php which when sent the right auth_token, and method could return auth.getsession.
This might still work, but there is no reference to it in the documentation anymore, and the PHP SDK specifically refers to it as the “old” method. I’m going to assume things labeled in that manner aren’t going to survive very long.
So, this leaves me with only the JDK API that references anything about getLoginStatus. How do I use that to work with the rest of my application that is entirely server-side code (in Rails)?
Well, the answer is I don’t really.
Here’s what I did
Session outside of facebook’s session
I create and use my own session for the most part. The only way to start a session is to authenticate into facebook, but assuming you give me permission, I have offline access and can keep accessing your fb data. When the user wants to do something “sensitive”, I run the following script at the top of the page
<div id="fb-root"></div>
<script src="http://connect.facebook.net/en_US/all.js"></script>
<script>
FB.init({
appId : 'YOUR APP ID',
status : true, // check login status
cookie : true, // enable cookies to allow the server to access the session
xfbml : true // parse XFBML
});FB.getLoginStatus(function(response) {
if(response.session) {
fbCheckUserPerms();
} else {
//no user session available. Either, you don't know them, OR, they aren't logged into facebook.
if(response.status == "notConnected") {
// They are logged into facebook. Redirect them to a page that proposes they authorize your app, and tells them why.
alert("But is logged In");
} else {
//They are no longer logged into facebook. Redirect to a page that destroys the current session
}
}
});</script>
Note, that this script is a little more than needed to make the solution work, but it also helps with scenario 1 from above. They are logged into facebook, but unknown to me. In that case, I take them to a page that describes the value proposition of my application and personalizes the page with the Registration & Login button social plugin.
If they are not logged into facebook, I forward them to a page within my application that destroys their session, and then forwards them to the login screen.
Not the most efficient way by a stretch, and clearly not all server-side, but I can make that work for now,
One thing to be careful of. If they are already on a sensitive information page – and then log out of facebook in another tab, just running this at the top of the screen might not be enough. You might have to rerun this script prior to submitting whatever it is that you don’t want to let them do when they aren’t logged into facebook.
M app doesn’t allow for much of this, so I’m fairly safe, just checking on page load.