So, simple question:
After the user authorizes my app (OAuth 2.0), i do a call to the Facebook Graph API to fetch their details.
So at this point in time, i have their Facebook ID, an access token for API calls, their email, and some other basic info.
I’m working on an ASP.NET MVC 3 web application, that uses Forms Authentication and a custom ticket to store extra data.
A lot of examples i’ve seen has shown storing the info in Session.
Is this wise? Because i’m working on a single-sign-on (e.g users can “sign in” to my website with Facebook Connect), i only really “care” about their Facebook info if they are already logged-in to my website.
With that in mind – i’m wondering if it’s worthwhile segreating the info across different persistence mechanisms.
For instance, since the Facebook ID doesn’t change, i could store that in the Forms Authentication ticket, and perhaps store the access token in a cookie, with the expiry set to the expiry received in the HTTP response.
How do people go about storing Facebook information in an ASP.NET (MVC – but not specifically limited to) application?
I decided to use a mix of Session and the Forms Auth ticket.
In the ticket, i store the user’s Facebook ID, as this does not change.
However, i also need to store if the user is currently authenticated to Facebook (just a basic flag) and the OAuth token.
It doesn’t make sense to store this data in the cookie, because if they logged out of Facebook or the OAuth token expires, i’d then either have to update the cookie or sign them out of Forms Authentication.