15

I'm developing using the Facebook PHP SDK.

I wanted to make it so that when the user logs out of Facebook, they will automatically be logged out of my website too.

I am using the following code to detect the session, using the session cookie:

$facebook->getUser();

For some reason, the getUser() function still returns the user's Facebook ID, even after they have logged out of Facebook on their website.

Am I to detect the session first using another Function?

On the official documentation example here, is the following excerpt from their comments:

// Get User ID
$user = $facebook->getUser();

// We may or may not have this data based on whether the user is logged in.
//
// If we have a $user id here, it means we know the user is logged into
// Facebook, but we don't know if the access token is valid. An access
// token is invalid if the user logged out of Facebook.

This lead me to believe that the session cookie for Facebook would become unset upon Facebook logout?

Kind Regards,

Luke

sakibmoon
  • 2,026
  • 3
  • 22
  • 32
Luke
  • 22,826
  • 31
  • 110
  • 193

5 Answers5

12

I have the same issue!

The FB PHP SDK saves those things into the $_SESSION! You can delete them like this when your user clicks logout:

$_SESSION['fb_'.APP_ID.'_user_id'] = '';
$_SESSION['fb_'.APP_ID.'_access_token'] = '';

Although this is not the final solution, it works for now.

I appreciate comments and solutions on that!

NGLN
  • 43,011
  • 8
  • 105
  • 200
Michael Ionita
  • 136
  • 1
  • 5
  • But the issue here is when the user logs out from Facebook.com (on his machine) "You can delete them like this when your user clicks logout:" <--- which logout? on facebook.com? How can u trigger setting the $_SESSION['fb_'.APP_ID.'_user_id'] = '', when the user is clicking logout from facebook.com – user6890 Jul 19 '14 at 11:14
3

I want to give an alternative, in a way you don't have to handle session stuff. Although, I must warn you this is slower than cleaning up the session, because it relies on a new request. What we're doing in the code below is to check on Facebook if the token is still valid. Here it's:

try {
    $facebook->api('/me','GET');
    $logged = true;
} catch(FacebookApiException $e) {
    $logged = false;
}

In my case, I was doing everything using the JavaScript SDK, so I couldn't clean session on logout. But in my landing page, I was needing a work around to check it before send the response back.

If you're facing something like this, definitely a good solution.

sakibmoon
  • 2,026
  • 3
  • 22
  • 32
Ramon K.
  • 3,402
  • 3
  • 20
  • 29
  • If the facebook session is still alive with a cookie on your site, but you are already logged out on facebook, this will return $logged = true. I tried that. – Robert Oct 10 '13 at 09:14
2

The problem seems to be in php-sdk in basefacebook.php at line 567

         protected function getSignedRequestCookieName() {
         return 'fbsr'.$this->getAppId();}

This method returns the name of the cookie the sdk is looking for. However, javascript-sdk uses 'fbs_' prefix. Change this to 'fbs_' and it works fine.

return 'fbs'.$this->getAppId();}
sakibmoon
  • 2,026
  • 3
  • 22
  • 32
Umer Pasha
  • 23
  • 3
1
$facebook->destroySession();
ogisusu
  • 33
  • 4
  • This unexpectedly doesn't work. See http://stackoverflow.com/a/8348505/556493 for a working solution. – yingted Jun 24 '13 at 20:42
0

To destroy the session you can also use: $facebook->destroySession();

Арон Кальян
  • 114
  • 1