I’m using Facebook’s PHP SDK to log users in to my website, like so:
<?php
$facebook = new Facebook(array(
"appId" => "myAppID",
"secret" => "mySecret",
));
$user = $facebook->getUser();
if ($user) {
try {
// user is authenticated
$user_profile = $facebook->api("/me");
} catch (FacebookApiException $ex) {
$user = null;
}
}
if ($user) {
$logoutURL = $facebook->getLogoutUrl();
?>
<img src="https://graph.facebook.com/<?php echo $user; ?>/picture" />
<a href="<?php echo($logoutURL); ?>">Logout</a>
<pre><?php print_r($user_profile); ?></pre>
<?php
} else {
?>
<a href="<?php echo($loginURL); ?>">Login</a>
<?php
}
?>
The problem is that when a user returns to the site, they’re no longer logged in, and have to log back in.
Is it possible for returning users to remain logged in?
Update:
My exact solution ended up being a combination of the JavaScript and PHP Facebook SDKs.
The problem is that a cookie isn’t used to store the Facebook login information—a PHP session is (PHP session cookies expires when the browser is closed). In addition to this, unless you have offline access, the access tokens expire. In other words, even if you were to store the Facebook access token in a cookie, it would eventually expire and the user would be logged out.
The JavaScript I ended up using:
FB.init({
appId: "myAppID",
cookie: true, // enable cookies to allow the server to access the session
xfbml: true, // parse XFBML
oauth: true // enable OAuth 2.0
});
FB.Event.subscribe("auth.login", function(response) {
// a user logged in who was not previously logged in
window.location.refresh(true); // ideally modify the page with JS rather than refreshing
});
FB.Event.subscribe("auth.logout", function(response) {
// a user logged out who was previously logged in
window.location.refresh(true); // ideally modify the page with JS rather than refreshing
});
// check if the user is logged in or not, using the Facebook JS SDK
FB.getLoginStatus(null);
When the page is loaded, the Facebook JavaScript SDK checks with Facebook to see if the user is logged in. If the user is logged in, and the cookie isn’t already set, it will be set. You can then refresh the page (or, ideally, modify it with JavaScript) and the server will be able to access the cookie using the regular PHP SDK (and the first piece of code in this question).
This is the best way I’ve found for persistent logins across browsing sessions.
There are two scenarios here. One is to authenticate the user, and the other one is to recognize the user.
What usually happens when you use the login methods provided from any Facebook API is that they will see if the user have a session going with Facebook. If not the user will be prompted to log in so you can see which user it is. In your case you want the user to always be logged in to Facebook. This is not really doable since you need to find out which user it is. You could store a cookie on the users computer with some recognition details. You would need to have offline permissions for the user or else the user will have to be logged in with the API to get a fresh access_token.
If you want my advise you should just use the GetLoginStatus method of the API to check if the user has a session going with Facebook. If the user is not logged in to Facebook it is not too much to require them to log in on your website. Most users who use Facebook have their login stored so they will always have a session going whenever their browser is open.
That would/is the best way to go about it as it doesn’t require you to ask the users for offline permissions which I suppose many users wouldn’t want to give. If for some reason you can’t use that approach I suggest getting offline permission and then storing a cookie on their computer with no timer on it so it won’t be automatically deleted.
Sorry for the wall of text, but I hope I was somewhat helpful 🙂