The case:

1. We plug-in FB JS and init it with FB.init(). This call creates fbsr_NNNNN cookie. The cookie has session-limited expiration date (until browser is closed). We call FB.init() only once in this example. After that we call the pages that don’t contain FB.init() invocations so it doesn’t have a chance to renew the access_token
2. We perform authentication and make some server-side (PHP FB SDK) call, like /me
3. Wait for 30 minutes or something until FB session expires
4. Perform the /me request again and see “An active access token must be used to query information about the current user.”

This happens because current php sdk implementation:

  public function getSignedRequest() {
    if (!$this->signedRequest) {
      if (isset($_REQUEST['signed_request'])) {
        $this->signedRequest = $this->parseSignedRequest(
          $_REQUEST['signed_request']);
      } else if (isset($_COOKIE[$this->getSignedRequestCookieName()])) {
        $this->signedRequest = $this->parseSignedRequest(
          $_COOKIE[$this->getSignedRequestCookieName()]);
      }
    }
    return $this->signedRequest;
  }

just takes the access_token from cookies as-is and in case of exception it doesn’t clear it. So the code has no chance to return into normal workflow without manual cookie removing. Yes, if I delete the cookie – the code starts to work again (as long as there is no saved access_token and library fetches the new actual one).

So what workaround for this issue would you propose? What do you use? Do you think it is a bug?

UPD: seems like there is a possible workaround: to extend Facebook class and override the method that cleans persistent storages. For details look at discussion to the answer http://facebook.stackoverflow.com/a/8294559/251311

But I’m personally still sure that FB SDK should handle it without any additional hacks