Note on Facebook’s secure cookie format
In their new secure cookie format, Facebook provides an OAuth code, which Koala
automatically exchanges for an access token. Because this involves
a call to Facebook’s
servers, you should consider storing the user’s access token in their
session and only
calling get_user_info_from_cookies when necessary (access_token not present, you discover
it’s expired, etc.). Otherwise, you’ll be calling out to Facebook
each time the user loads a
page, slowing down your site. (As we figure out best practices for this, we’ll update this
wiki.)
Let me get this straight: even if I use the Javascript SDK to parse
the cookies I still need to do a server-to-server call to facebook? Doesn’t this make the whole java script SDK for user authentication kind of useless? I always need to check the cookies (so I won’t have a stale access token) thus calling facebook every time?
What this quote is talking about is lightening the load on Ruby by not re-validating the OAuth token with a key exchange btwn Ruby and FB every call.
So, you can save the token in session/db/your own cookie/etc. or you can have FB’s JS SDK revalidate it and pass it to you as part of your request.