38

I have recently started getting this error while posting to facebook newsfeed stream of an app user, I do have an offline access permission for the access tokens, and they worked fine previously. This error is coming for 30-40% of the users.

"Error validating access token: Session does not match current stored session.
This may be because the user changed the password since the time the session
was created or may be due to a system error."
DhruvPathak
  • 42,059
  • 16
  • 116
  • 175

7 Answers7

40

It's possible for your access token to become invalid for a variety of reasons (expiry time passed, user changed password, user deauthorized your app, user logged out of Facebook, etc.). You should always design to account for this scenario.

If your users are active, it's easy to get a new access token from the OAuth endpoint without them having to do/see anything. If not, you should make a plan (such as emailing them) for how you will get them to return so you can get a new access token. The scenario you're describing is not necessarily unusual. You can find some code samples here for help on how to handle expired access tokens.

Jeff Bowen
  • 5,904
  • 1
  • 28
  • 41
  • 3
    Ok genesis. Sorry. New here. I had read through the FAQs and saw the one about "promoting your own products" (http://stackoverflow.com/faq#promotion) which said "you _must_ disclose your affiliation in your answers". Guess the community wouldn't consider this "promoting your own products"? – Jeff Bowen Jul 21 '11 at 04:42
  • Thanks Rob. I ended up asking over on [meta](http://meta.stackexchange.com/questions/99202) what people thought and got some good answers. – Jeff Bowen Jul 21 '11 at 07:08
  • 4
    @Jeff Bowen This doesn't answer why access tokens are randomly stop working and then later will work. There is no way 30-40% of users revoked or changed their password. I am pretty sure this is a bug with Facebook. – bkaid Jul 21 '11 at 15:11
  • OffBySome, there are other reasons large numbers of access tokens can be invalidated so the 30-40% doesn't necessarily raise alarm for me but if you're seeing access tokens stop working and then work again, that sounds like a bug. Please file it in our [Bug Tracker](http://bugs.developers.facebook.net) with as much info as you can (if you mark it "confidential" you can include the access tokens in question and we can look at them). If you do, add a link to the bug here for everyone. – Jeff Bowen Jul 21 '11 at 18:02
  • @Jeff Bowen .. for what good reason an access token with offline_access become invalid if a) i do not deauthorize,b) expiry time is infinite,c) logout is meaningless for offline_access and as mentioned IT FAILS RANDOMLY, THEN WORKS RANDOMLY .It is related to some anti-spoofing algorithm ? some IP based criteria ? – DhruvPathak Jul 22 '11 at 06:05
  • DhruvPathak, there are other internal reasons access tokens can become invalid. We never guarantee that an access token, even one with the offline_access permission, will live forever. Sorry, I know it's not what you want to hear but I'm just letting you know that things are working as designed. – Jeff Bowen Jul 22 '11 at 19:11
  • As for the issue of it failing and then later working, that sounds like a bug so it'd be great if you could file it in our [Bug Tracker](http://bugs.developers.facebook.net) as a "confidential" bug and include the access_tokens you're seeing this with. Thanks! – Jeff Bowen Jul 22 '11 at 19:11
  • 2
    link is broken, facebook is bad at links? – sihrc Jun 24 '14 at 22:52
  • @JeffBowen I'm having the same error as the OP but via a mobile iOS application. From what I have read online, this token is managed by the FBSDK, but is somehow getting invalid. Whats really weird, is if I log in and out of facebook on the app, the token is still the same invalid one. – Unome Sep 13 '16 at 06:23
3

There seem to be a lot of questions about why your token would have expired so quickly. I think I can shed some light on that. Here are a number of scenarios I have found which cause this:

There is the obvious one; the user changed his password. There is nothing you can do about this. They will need to reauthorize your app. The rest of these scenarios deal with page tokens, which are similar to a token for a user profile, except they come from querying /me/accounts with the user token of a valid administrator for the page. These seem to expire much more frequently.

It seems that if ANY administrator of a page changes their password (not necessarily the one who's token you are using), this can cause the token to expire. Also, if you have some pages in your system with the same administrator, calling /me/accounts often refreshes ALL of the tokens for the pages this user administrates. That means if you are connecting a new page for a user with existing pages, you will need to update the existing page tokens with the new ones provided by /me/accounts.

Finally, the way I deal with this in my system is to store the admin user and token as a parent of the page token in my database. This way when I need to reconnect a page or add a new page, the system can lookup and update any related page tokens received from /me/accounts. It also allows you to automatically attempt to refresh the token by calling /me/accounts when you receive the expired token exception.

Hope some of this helps!

Aminah Nuraini
  • 18,120
  • 8
  • 90
  • 108
thefreeman
  • 1,035
  • 11
  • 13
3

Check out the blog post officially from facebook: How-To: Handle expired access tokens

Aaron He
  • 5,509
  • 3
  • 34
  • 44
Syed I.R.
  • 6,180
  • 2
  • 29
  • 41
3

This is undocumented but I just tested it and it works with expired access tokens. Should work on access tokens that have been invalided if you know their user id, and they haven't revoked privileges to your app. First, you can verify that you still have have the permissions you need by calling using this url:

https://graph.facebook.com/userID/permissions?access_token=appID|appSecret

If you still have publish_stream permissions, you can issue a HTTP POST to this url:

https://graph.facebook.com/userID/feed with post parameters of access_token=appID|appSecret&message=test message

bkaid
  • 51,465
  • 22
  • 112
  • 128
  • 1
    Why would an access token received with offline_access permission expire within same day ? I get an error even on same day, and it is random. – DhruvPathak Jul 21 '11 at 08:03
  • Because you are dealing with Facebook. Other people have this issue too, here is another case: http://stackoverflow.com/q/5972901/265570 – bkaid Jul 21 '11 at 15:08
  • yes indeed it is a random issue,and facebook has no documentation what so ever regarding this. I am curious to know about self discovered hacks,workarounds if any fellow developer has found. – DhruvPathak Jul 22 '11 at 06:09
  • I just tried this and it worked. Thanks for the information. – Jay Taylor Aug 12 '11 at 19:22
2

The offline session token is changed whenever a user changes his password. If a previously working session suddenly stops (and you're getting that error) then the user's password was changed (probably by the user) and you will need to re-prompt them to grant you offline access and save the new session token you get.

Femi
  • 64,273
  • 8
  • 118
  • 148
  • That error is different. `OAuthException,Error validating access token: The session has been invalidated because the user has changed the password` I also get that but for very small set of users,however this error is coming for a large set of users. – DhruvPathak Jun 06 '11 at 06:20
  • 1
    Odd: you may just have hit a genuine bug. See http://bugs.developers.facebook.net/show_bug.cgi?id=17485 for details (assuming you haven't already seen that). – Femi Jun 06 '11 at 06:30
  • Thanks. seen that. I was hoping is there is some workaround for that though. – DhruvPathak Jun 06 '11 at 06:39
1

I also faced this issue while accessing the post comments from my command utility. In my case everything was working fine, until suddenly I got the error:

The remote server returned an error: (400) Bad Request.

After diagnosing the problem, I found that the Facebook access token is expiring after a period of time even though I created it with the offline_access option as below:

https://www.facebook.com/dialog/oauth?client_id=[APPID]&redirect_uri=[URL]&scope=user_photos,email,user_birthday,user_online_presence,offline_access

After wasting of lots of time on RND, I found that there is an option in the app's Advanced Settings for Remove offline_access permission. My client had enabled it, and that's the reason my token was expiring. Have look at the image below:

Facebook offline access token

William Price
  • 4,033
  • 1
  • 35
  • 54
Optimus
  • 575
  • 4
  • 10
1

In my case I had to generate a new page access token because I changed my Facebook password.

You can do that by going to https://developers.facebook.com, click on your app, see the menu on the left, choose Messenger, then Settings, then scroll to Access Tokens, click Generate token, copy the token and paste it into your configuration file.

Gabriel Arghire
  • 1,992
  • 1
  • 21
  • 34