I am making a web application where I get a user’s information from his/her facebook api after he/she logs in with facebook to use my web application.
I have PHP code that succeeds in getting an offline_access access_token from a user when he/she logs into my application.
However, I am not sure what to do with that token.
Do I insert it into the database when I insert other information about the new user into my database, so I can have access to it when the user is offline?
If so, should I be treating it with the same security as a password?
Any help/suggestions greatly appreciated.
Depending on Facebook SDK you should store user session (sdk2.x) or only access token (sdk3.x). The Best place to store is database. I usually save tokens on user creation and refresh saved token on user login (cause tokens still have expiration time).
Then, when you need to use the token (or session), you should use either
or
Hope this helped.