My goal is to use Facebook Login on a website with as few api calls as possible. I don’t want to use any server-sided facebook api call on sites that don’t interact with facebook at all. That means I only want to use api calls for logging in and publishing things. However I don’t want to use Facebooks offline_access permission flag.
Here are some thoughts:
- Use own sessions for the site instead of relying on Facebook sessions. So a user stays logged in even if the Facebook session token is expired. Otherwise the user will be logged out as soon as the token is expired and needs to click login again to get a new token or Facebooks JS SDK will auto-login but this still isn’t perfect because the user will see the page in “logged-out state” and it will refresh as soon as the JS SDK got a new token. No-JS users have to click the Login button again.
- Cache Facebook user data in database or memcache. Use Facebook API Subscription to keep the database updated. -> No need to ask the API for changes in the user’s Facebook profile.
Problem:
- While using own sessions the Facebook session token might be expired when trying to publish sth. on Facebook. So you have to abort the current script and get a new token by redirecting the user to Facebook or using the JS SDK. Then continue the script. This is pain.
My thought on how to solve the problem:
- Instead of publishing things on Facebook using PHP you can also do this in Javascript. If the token is expired just get a new one using JS which does not require the page to be reloaded nor the page to be redirected to Facebook. However I want to support users with disabled Javascript and then this is not possible.
- In my opinion the only useful approach is to use own sessions with cached user data and keep the people logged in even if the Facebook token is expired. But redirect them to Facebook and back as soon as Facebook interaction is required. This way the user won’t see the page in “logged-out state”, no Javascript is required and the user will be only redirected to Facebook Login if it’s really needed. For Javascript users the Facebook JS SDK will renew the token (which is then stored in a cookie) without the user noticing this as the user is still logged in (using the own session handling).
What do you think? Is there another (better?) approach to do this? My last point quite seems doable but isn’t there an easier way? Thanks.
I had this exact same issue when creating an authentication system for my website. Like Elad Lachmi said, you can run FB.login on each page load – but this will cause a quick popup flash (gets very annoying).
My solution actually ended up requiring me to use offline_access. It seems that there is just no other appropriate way to keep the user logged in if they leave your site for a couple of hours.
Here’s the (potential) catch:
This combination should, every 15 minutes, fetch the most up-to-date user session ID from Facebook. It will cause it to be updated when it is close to expiration.
Please note that I haven’t tried this, and it may be against the Facebook ToS. But it is really the only solution without using offline_access if you want to keep a user logged in for more than 2 hours without requiring them to refresh a page.