facebook auto re-login from cookie php

My website uses Facebook connect for login and the session lifetime on my server is 3600.

I'm using Client-Side Flow (javascript) redirect to login.php, and login.php retrieve cookies (set by javascript) to get access token.

However, if a user is idled over 3600 seconds, the session on my server expires. ($_SESSION['uid'] does not exists.) How can my login.php check the user has already l开发者_运维知识库ogged in Facebook(not my app) or not?

The solution I'm using is to redirect the user to my javascript page, and "onStatus function" would be automatically trigged by facebook.

I'm searching for a solution which can all be done with login.php to automatically relogin my website if he or she has logged in Facebook (without redirecting to javascript page). Is is possible?

javascript:

FB.init({appId: 'MY_APP_ID', status: true, cookie: true, xfbml: true});

FB.getLoginStatus(function(response) {
    onStatus(response);
    FB.Event.subscribe('auth.statusChange', onStatus);
    FB.Event.subscribe('auth.login', reloadPage);
});

function onStatus(response) {
    if (response.session) {
        window.location.href = '/login?fb';
    }
}

function reloadPage(response) {
    if (response.session) {
        window.location.href = '/login?fb';
    }
}

PHP (for login):

function get_facebook_cookie($app_id, $app_secret) {
  $args = array();
  if(!isset($_COOKIE['fbs_' . $app_id]))
      return false;
  parse_str(trim($_COOKIE['fbs_' . $app_id], '\\"'), $args);
  ksort($args);
  $payload = '';
  foreach ($args as $key => $value) {
    if ($key != 'sig') {
      $payload .= $key . '=' . $value;
    }
  }
  if (md5($payload . $app_secret) != $args['sig']) {
      return false;
  }
  return $args;
}

$cookie = get_facebook_cookie(MY_APP_ID, MY_APP_SECRET);

if($cookie){
    if($result = @file_get_contents("https://graph.facebook.com/me/?access_token=".$cookie['access_token'])){
        $result = json_decode($result, true);
        $_SESSION['uid'] = $result['id'];
    }

---

I've figured out a way to do so. To iframe the following page in all pages.

When the access token gave by facebook through cookie expires, page in iframe auto refresh. And FB.init() would set up a new access token(cookie) for my app.

In my php files, just check the cookies as first connected.

fb_keepalive.html:

<div id="fb-root"></div>
<script type="text/javascript" src="https://connect.facebook.net/zh_TW/all.js"></script>
<script type="text/javascript">
FB.init({appId: 'APP_ID', status: true, cookie: true, xfbml: true});
FB.getLoginStatus(function(response) {
    onStatus(response);
});

function onStatus(response) {
    if (response.session) {
        var timestamp = new Date().getTime();
        var expires = response['session']['expires'] * 1000;
        if(expires - timestamp >= 0){
            setTimeout(function(){window.location.reload();}, expires - timestamp);
        }
    }
}
</script>

---

Im still a newb to FB connect and that whole process but I wanted to put my 2 cents in. I have seen a few sites strictly built on users having FB so them being logged in or not to FB applies to the particular sites I mention. I have noticed if I am logged in on FB and have connected with those sites in the past then I am automatically logged back into said site same logic applied if im not logged in.

That said I assume this means FB has a recognizable cookie that can be detected somewhere, where if detected you can likely use it in your script to get the users to be auto logged in past that 3600 mark. I know from twitter and linkedin that they have user auth tokens that identify each user that can ultimately be stored in a DB and reused later So I think maybe your going to want to look into that a bit more with FB as Im sure that has to be the case with FB as well. Where you store this token thats associated with a user where you can find that if the cookie previously mentioned was found, then check for that auth token. Im sorry if this doesnt make much sense Im running on fumes here. If i was any better with the FB stuff I'd try to offer more help but I am in the very basic stages of understanding how I can interact with FB and a non fb site.

---

While keeping the client side flow, you can use the Facebook PHP SDK (see on github) for dealing with the user session.

$facebook = new Facebook(...);

// Get the User ID
$user = $facebook->getUser(); 

$user not null means that the user is logged in Facebook and authenticated. You don't need anymore the PHP you gave here (get_facebook_cookie and stuff) : it is all included in the Facebook PHP SDK. It should be enough for you.

---

Going further : if you want to make API calls for that user.

$user not null does not mean you have a valid access token for this user. One way to test if you have a valid access token is the try to make an API call :

$isvalid;

try { 
  $facebook->api('/me');
  $isvalid = true;
} catch (FacebookApiException $e) {
  $isvalid = false;
}