8

My current user story is that user1 is logged into my website and facebook (these accounts are connected etc).

User1 logs out of my site but not facebook.

After this user2 logs into his account, but the left over session from user1 screws with user2's interaction with my site and who they post as.

So to fix this I made it check if the user who is logged in actually owns the currently logged in facebook (this would result in them going to facebook log out etc) and it shows a link that should allow the user to log out...

Upon clicking the link they go to facebook and return to the site. But if you open a new tab and go to facebook User1 is still logged in.

How can I get this link to work.. what's going on. Is this a bug with the api or what?...

Edit: I've continued testing with value user ids loading and with valid access tokens but I have yet to get the logout link to work.

Brandon Martinez
  • 101
  • 1
  • 7
  • > After this user2 logs into his account, but the left over session from user1 screws with user2's interaction with my site and who they post as. Is user2 logging in on the same computer/browser, or how are „sessions” getting mixed up? Could you elaborate on that a little bit further, what exactly you mean by „session”? – CBroe May 31 '12 at 14:17
  • Yes, the same browser. It's a unlikely scenario because people would most likely log out of their facebook account when leaving their computer anyway, but the problem still needs resolving. Basically if facebook is logged on as Person 1, but on my website Person 2 logs on whilst person 1 is still logged into facebook, any actions taken on my website by Person 2 pull up the facebook information for Person 1. I can detect if the currently logged in facebook account and currently logged in user on my website are one and the same, but if not I need a way of logging Person 1 out from facebook first – Tom May 31 '12 at 14:26
  • .... so I can then redirect person 2 to the facebook authentication screen – Tom May 31 '12 at 14:27
  • I created a short test case, displaying login- or logout-link depending on wether Facebook->getUser gives me a user-id or not, and testing in Firefox 12 I get the expected behaviour: Using the logout-link logs me out of Facebook - *except* for the small glitch that after redirecting to my site it still shows the *logout*-link. I have to refresh my page before I get to see the *login*-link again; I guess that's due to some problem with the browser recognizing the cookie Facebook set before redirecting to my page (cookies and redirects often prove to be a little bit tough across browsers). – CBroe May 31 '12 at 14:53
  • Hmm our scenario seems the same. Would it make a difference do you think if the user logged into facebook (who needs logging out) is not connected to my app? (they havent used it before, accepted permissions or anything, they are ust a regular facebook user) – Tom May 31 '12 at 14:59
  • Some more information, i've noticed that the link generated by getLogoutUrl() requires an access token, which will be for the user logged into my website, NOT for the user logged into facebook. – Tom May 31 '12 at 15:02
  • [Tom, I'm adding an answer instead of commenting, because I want to be able to quote properly.] > Would it make a difference do you think if the user logged into facebook (who needs logging out) is not connected to my app? Is that even possible? When I log in and I'm not connected to the app, straight after logging in to FB it presents me with the dialog which tells me which permissions this app will be granted etc. and asks me to accept. > i've noticed that the link generated by getLogoutUrl() requires an access token Makes sense - otherwise I could plant such an URL on any page, for example – CBroe May 31 '12 at 15:23
  • When the user logs into my site, it pulls their access token from the database, with an expiry date and checks if it is valid, then follows the re-authentication process if it has expired. If they log into my website then yes, it will detect the logged in facebook user and present the permissions dialog, etc. But then the user has the ability to link their account on my website up to someone elses facebook account; I wanted to remove this possibility by detecting if the facebook id is the correct one, and if not log the other user out of facebook ad present them with a log in screen – Tom May 31 '12 at 15:42

3 Answers3

5

A little late but here goes my contribution:

Use the params when you generating the logout url, there redirects to a page in which you destroy the session using the Facebook API function for that.

Here an example:

$logoutUrl = $facebook->getLogoutUrl(array("next" => "http://mydomain.com/page4logout"));

In the page4logout you can instance the facebook object and execute the following:

$facebook->destroySession();

After that you can do a redirection.

j0k
  • 22,600
  • 28
  • 79
  • 90
Luis Fernando Villegas
  • 81
  • 1
  • 4
  • I did what you suggested, but not in a different page. The $facebook->destroySession(); must happen in the same page where the $facebook = new Facebook(array( .. is. So I redirect to the same page with a parameter ?logout=1 and then I check it in the page after the $facebook = new Facebook(array( and it works. – themhz Apr 07 '13 at 02:00
  • @themis, please why not accept this answer ? Or, if any other solves your problem, just indicate by accepting. I am just thinking that is right to do. Thanks. – Stephen Adelakun Oct 12 '15 at 08:37
4

delete the facebook cookie and session manually. Here is my solution how I solved the problem some time ago, it think it's a bug of Facebook: 

setcookie('fbs_'.$this->getAppId(), '', time()-100, '/', $_SERVER["SERVER_NAME"]);
unset($_SESSION['fb_'.$this->getAppId().'_code']);
unset($_SESSION['fb_'.$this->getAppId().'_access_token']);
unset($_SESSION['fb_'.$this->getAppId().'_user_id']);
unset($_SESSION['fb_'.$this->getAppId().'_state']);

$this->getAppID is your Facebook App ID, should be clear ;o)

Tobias Bambullis
  • 736
  • 5
  • 17
  • 45
  • will this work if the user logged into facebook is not connected to my application? – Tom May 31 '12 at 15:46
  • if the user isn't connected to your application, how can the user be logged in on your page? I don't know if this is possible... but: the user is definitly logged out after you do this. (you have to do that when Facebook redirects to your page...) – Tobias Bambullis May 31 '12 at 15:49
  • if Person 1 logs on facebook and leaves the computer, but facebook is still logged on. Then user2 logs onto my website. Because the other user is still logged in, it presents a permissions dialog asking them to link the accounts together, meaning the new user can link their account on my website with someone else's facebook account. I wanted to avoid this, and if the facebook account is not the same one the user has connected with previously, iy shoudn't allow them to link it up, instead logging out ad requiring them to log into the correct facebook account. – Tom May 31 '12 at 15:51
  • does user1 do a logout on your page? If yes: you can destroy the facebook session at this time, too. After that user2 haven't any problems... – Tobias Bambullis May 31 '12 at 15:57
  • User 1 might not use my website, they are just on facebook normally. Basically if someone on my website has connected with facebook previously, I dont want the option to even appear to be able to link it up with this random facebook account that has been left logged on. I wish to be able to detect that this facebook account is not the one the person linked up with on my website initially, therefore it logs out of facebook and asks them to log in again – Tom May 31 '12 at 16:03
  • okay. If I understood you correctly: you want to logout the user who is currently connected to facebook. After that a new user who uses facebook login on your page have to relogin. My suggestion is the following: before a user use your facebook login url just execute the script in my answer. I think this will work, because I was logged out on Facebook every time, after I called my logout method on my page, too ;o) – Tobias Bambullis May 31 '12 at 16:31
0

One way you can check this is by using the PHP SDK and JavaScript SDK together.

When the user visits your site, call FB.getLoginStatus() and check that the authResponse.userID matches what the PHP SDK returns in $facebook->getUser(); (you can do this via a AJAX call if it helps).

You know that if the user ID doesn't match then something is wrong here. Calling $facebook->getLogoutUrl() should log the user out of both your site and facebook, but if it doesn't, try using session_destroy() in your code to clear the sessions. Then redirect the user back to $facebook->getLoginUrl() and get them to login again. This will correct the mis-match in the user ID and you can repeat the process when they come back to your site.

I've seen this happen on other apps, which leads me to believe that this is a facebook issue. The JavaScript SDK doesn't appear to check if the cookie is still valid (if it already exists).

Niraj Shah
  • 15,087
  • 3
  • 41
  • 60