Inter-sections.net : The low-down on Facebook sessions

Comment on The low-down on Facebook sessions by Tyler

Sun, 28 Oct 2007 18:37:14 +0000

Hey,

I’m working on a desktop app and want to get an infinite session. When you say “Create a user with a normal sounding name, that you will use as your infinite session key user.” Do you mean to actually register a new account on Facebook and use the infinite session key for that user as a key that can be used for other users who have added your app?

Thanks

Comment on The low-down on Facebook sessions by daniel

Sun, 28 Oct 2007 20:10:02 +0000

Tyler:

Yes, that’s what I meant. The reason it’s good to create a completely separate user is that then you will decouple yourself from any risk that somehow you mistakenly invalidate your infinite session key, e.g. during testing, by removing and adding the app. In a desktop app, you’ll be doing most things through the infinite session key, so it’ll break your whole app if it becomes invalid.

Bear in mind that Facebook officially does not support what they call “fake users”. So be sure to make that user look like a real user so it doesn’t get deleted by Facebook a few months down the line. That means, don’t call it “My App User”. Call it something like Steve Johnson or something.

Some people on #facebook advocate using your own user to set up your infinite session key, but I found it broke quite often due to some testing. It’s up to you, really.

Hope this helps.

Comment on The low-down on Facebook sessions by Tyler

Fri, 02 Nov 2007 22:22:03 +0000

Hey Daniel,

I was able to get my infinite session key, thanks for the help.

I’m using the Java Client Library (which I’ve heard is terrible), but I’m having a bit of a problem actually using the key. I’ve grabbed the key and saved it, now when I create a new FacebookRestClient I pass the infinite key as a parameter to the constructor (instead of getting the session key by launching the browser). It keeps telling me that me key is either expired or invalid, or that my signature is incorrect.

I don’t suppose you have any experience with this?

Comment on The low-down on Facebook sessions by Tyler

Fri, 02 Nov 2007 22:22:56 +0000

BTW, you can respond by email if you prefer.

Thanks for the help.

Comment on The low-down on Facebook sessions by dale

Mon, 12 Nov 2007 19:48:36 +0000

One more clarification question: does rfacebook’s requirefacebookinstall save the returned infinite session key, or does one need to do that separately? If so, how does it subsequently get used by rfacebook?

Comment on The low-down on Facebook sessions by dale

Tue, 13 Nov 2007 01:42:40 +0000

I think I can answer my own question. From the code, it looks like requirefacebookinstall doesn’t do anything to preserve the session key.

However, calling activatewithprevioussession and passing it the current fbsigsessionkey seems to work just fine. Doing this before calling requirefacebookinstall also avoids “already installed” complaints out of the F8 API under certain conditions.

I’m still not certain why one needs to “save” the session key IFF the app is a webapp. In it is installed, F8 will always start the app, and hence on the first callback, seems like there will always be an infinite session key available to send into activiatewithprevious_session.

BTW thanks for this write-up, Daniel. Best one out there I’ve seen on a very important topic to everyone.

Comment on The low-down on Facebook sessions by daniel

Tue, 13 Nov 2007 14:36:32 +0000

Thanks. I hoped it would be useful when I wrote it :-)

You need to save the session key and uid so that you have a handle to get back to your users and, for instance, update their profiles, outside of a request/response context.

I’ll probably write an article about this sometime, but one of the key architectural decisions I made when designing our facebook app was to move the profile and action updates off the request/response path (i.e. have them running in a background process). For this, you need the session key and uid to be saved in a table somewhere.

The point, really, is that it’s quite easy to save the key/uid, and having them saved has large potential benefits if you decide to alter the architecture of your app. So you might as well save them!

Comment on The low-down on Facebook sessions by silmat01

Sun, 18 Nov 2007 05:39:33 +0000

Do you have any code that shows the work flow for using :requirefacebookinstall. I am trying to write a sample app.I have not published. But I wanted to test to see how this app can be added by another user. How do I do that? Also it gives me an error “You must activate the session before using it.”

Comment on The low-down on Facebook sessions by stridie

Thu, 29 Nov 2007 19:50:34 +0000

I’m running into an issue where facebook is telling me that some of the session keys that i store for users are invalid. (Interestingly, the only one that works is the one for MY user id)

None of my users (or myself) are checking the ‘keep me signed in’ check box that is shown upon adding the application… Is this necessary for the stored session keys to work?

Comment on The low-down on Facebook sessions by daniel

Thu, 29 Nov 2007 21:16:04 +0000

stridie: If your application is external, then yes, they need to check the second box for their session to be infinite. In that case, fall back to your own infinite session key.

If, on the other hand, your app is the kind that lives on Facebook itself rather than externally, then you should switch from requiring the ‘facebook login’ to requiring ‘facebook install’, however that’s done in the technology you’re using. The way to do it in RFacebook is to switch from: beforefilter :requirefacebook_login to: beforefilter :requirefacebook_install

Hope this helps!

Daniel

Comment on The low-down on Facebook sessions by tejas

Fri, 30 Nov 2007 13:08:19 +0000

hi, i m integrating drupal with facebook.

to start with i want to configure drupal to use facebook. so i need userid as well as infinite sessionID so, how can i get that IDs. plz help me. thanks in advance…….

Comment on The low-down on Facebook sessions by Andrey

Mon, 03 Dec 2007 05:06:02 +0000

Hi Daniel,

Why do you suggest persisting sessionkey/userid pairs? Assume I persist them into a table – however in order to use the table I’d have to get userid through facebook login redirect anyway. Then the quesions is whether I get the sessionkey from my table or again from facebook.com. I can see some perf improvement from getting key locally, but that’s pretty much it, the downside is managing an extra table and potential sync issues.

Also you suggest redirecting to install URL – it works great for non-app-users by bypassing login page. However the users who already have that app installed and click on that link are seeing a page telling them that the app is already installed. (redirecting to login URL causes nested iframe though with all of facebook appearing inside of app frame and then surrounded by original facebook frame ;-) Thanks!

– Andrey

Comment on The low-down on Facebook sessions by daniel

Mon, 03 Dec 2007 10:09:36 +0000

Andrey: 1) You need the session key and uid to do stuff to the user when they’re not logged in (e.g. when one of their friend’s actions causes an update to be required on their profile). This has nothing to do with performance.

2) Requiring install and just plain redirecting to install are two different things. Only redirect to the installation page if the user has not already added the application. In RFacebook, that’s done with: beforefilter :requirefacebook_install With this, the user will only be redirected to the install page if they have not already added the app.

Daniel

Comment on The low-down on Facebook sessions by Andrey

Tue, 04 Dec 2007 04:24:42 +0000

Daniel, Thanks for the reply. 1) makes sense. For my app is not quite applicable as I store all of user data created by my app in my database, hence if a logged in user A does an action that changes some data of not-logged-in user B, I do not need a session to manipulate user B data (user B data is stored in my local tables, and all I need is his userID).

Regarding (2) I am using asp.net and I have fixed the error that I have had – I think conceptually it does what you suggest to do with RFacebook. Cheers,

– Andrey

Comment on The low-down on Facebook sessions by Jason

Fri, 04 Jan 2008 09:10:03 +0000

Hi we are having MASSIVE problems with the session ID stuff

Forbidden

You don’t have permission to access /index.phphttp://’Our IP Address’/getinfinitekey.php on this server.

does this getinfinitekey.php file need any other permissions?

I followed the instructions from this site http://wiki.developers.facebook.com/index.php/Infinitesessionhowto#Step1:_Addyour_application

But we cannot understand why it wont work

PLLLLLEASE HELP!!!!

Comment on The low-down on Facebook sessions by daniel

Fri, 04 Jan 2008 09:39:22 +0000

Jason, this looks like a PHP issue rather than a Facebook issue. Go on the #php channel on irc.freenode.net and ask for help there, they’ll show you how to get your server working properly.

Comment on The low-down on Facebook sessions by kunal

Mon, 18 Feb 2008 19:23:06 +0000

Hi Daniel, Excellent article and this stuff works. I am not clear about one thing, however, which is - can a user’s infinite session key help him get his friend’s friends or his friend’s profile ? Will appreciate what you have to say about it. Does $facebook->setuser(myfriendid, mysessionkey) and then $facebook->apiclient->friends_get( ) get my friend’s friends ?? I am not sure this happens.

Comment on The low-down on Facebook sessions by Rob H

Tue, 03 Feb 2009 17:28:06 +0000

Daniel, thanks for the information. However, if you wish for this to be the clear, definitive guide it should have at least one simple example so that everyone dees not have to interpret your words. While I get the basis of what you are saying, there are still a lot of way to interpret it into actual code. Would you mind providing a simple PHP example of how to fetch the session ID and user ID, properly combine them and then store and fetch a session variable? Thank you.

Comment on The low-down on Facebook sessions by SL

Sun, 03 May 2009 14:33:03 +0000

Hi, Any idea how session keys work with facebook connect? Lets say I add a connect login to my page and one of my users logs into facebook. Can I get the session and user ID somehow to store in my database?

Thanks

Comment on The low-down on Facebook sessions by a+ training

Fri, 25 Sep 2009 04:52:18 +0000

hi i think However the users who already have that app installed and click on that link are seeing a page telling them that the app is already installed. (redirecting to login URL causes nested i though with all of appearing inside of app frame and then surrounded by original frame ;-) Thanks

Comment on The low-down on Facebook sessions by 640-553 exam

Sat, 03 Oct 2009 06:03:30 +0000

Comment on The low-down on Facebook sessions by 640-553 exam

Thu, 08 Oct 2009 09:47:27 +0000

asfa

Comment on The low-down on Facebook sessions by landed

Thu, 14 Jan 2010 16:13:51 +0000

Great article thanks for taking the time to demystify. But how can I store this key, can i use the same table in db with aanother field or do you suggest a separate table with userID as the key ? Thanks

Comment on The low-down on Facebook sessions by landed

Thu, 14 Jan 2010 16:14:22 +0000

Sorry forgot to post contact details.