logout in facebook --> facebook_session still valid

4 views
Skip to first unread message

Mattias

unread,
Nov 9, 2009, 12:51:47 PM11/9/09
to facebooker
Hi all,

I'm building a site using Fb Connect site and am having some problems
synchronizing the logout from facebook to my site. I.e. if I am logged
in at facebook as well as my site, and subsequently log out from
facebook I then remain logged in on my site, not being able to log out
(nothing happens when I click the fb_logout_link).

Like many others i've used the tutorial on made by many http://to.ly/wmE
as a start. At first I was retrieving facebook_session with
set_facebook_session (as per the tutorial). After experiencing the
problem above and some reading here I realized I needed to use
create_facebook_session to pull facebook_session on every request (as
I think is the case?).

Now, this does help, however after logging out from facebook a
facebook_session is still retreived on the next request on my site
(but not on further requests) - meaning the fb logout link is still
shown but not leading to any action on click, and I would very much
want to eliminate this potential confusion for the users. (On the next
request, the users are effectively logged out).

I suspect something is going on with the fbsetting-cookie but haven't
figured out a way to solve it. Without going further into details I
would appreciate if anyone has run into this or if perhaps I'm
misunderstanding something. All help is welcomed =)

Thanks / Mattias

Mike Mangino

unread,
Nov 9, 2009, 1:32:00 PM11/9/09
to faceb...@googlegroups.com
Use create_facebook_session, not set_facebook_session

The tutorial is wrong.

Mike
--
Mike Mangino
http://www.elevatedrails.com



Mattias

unread,
Nov 9, 2009, 2:57:50 PM11/9/09
to facebooker
Hi Mike,

I am, thanks for the response though. The flow of action is like this
(starting point: I am logged in both on Facebook and my site):

A. Log out from Facebook (at facebook).
B. I make a request - any - on my site.
C. The request goes through, still logged in.
D. I make a request - any - on my site.
E. Filters realize i'm not logged in, proceed accordingly.

If facebook_session is truly pulled on every request I would expect to
go from B to E, no?

On 9 Nov, 19:32, Mike Mangino <mmang...@elevatedrails.com> wrote:
> Use create_facebook_session, not set_facebook_session
>
> The tutorial is wrong.
>
> Mike
>
> On Nov 9, 2009, at 12:51 PM, Mattias wrote:
>
>
>
>
>
> > Hi all,
>
> > I'm building a site using Fb Connect site and am having some problems
> > synchronizing the logout from facebook to my site. I.e. if I am logged
> > in at facebook as well as my site, and subsequently log out from
> > facebook I then remain logged in on my site, not being able to log out
> > (nothing happens when I click the fb_logout_link).
>
> > Like many others i've used the tutorial on made by manyhttp://to.ly/wmE

klochner

unread,
Nov 20, 2009, 4:52:56 PM11/20/09
to facebooker

did you remove "self.current_user = " from the following in
authenticated_system.rb?


def login_from_fb
if facebook_session
self.current_user = User.find_by_fb_user(facebook_session.user)
end
end

The above stores the current_user in the rails session, so you bypass
login_from_fb on subsequent requests.

This comes at somewhat of a performance hit, since you will be making
a facebook api call on every request to get the logged in user info.

Next, I think there's a problem with how the fbml handles login status
- you see the same behavior on their therunaround app. What I do is
remove the autologoutlink=true if there is no facebook_session on the
back end.



- kevin

klochner

unread,
Nov 20, 2009, 8:01:54 PM11/20/09
to facebooker

On Nov 20, 4:52 pm, klochner <kloch...@gmail.com> wrote:

> This comes at somewhat of a performance hit, since you will be making
> a facebook api call on every request to get the logged in user info.

Sorry, it's been a while since I looked at the authentication code - I
left out one thing:

The cookies don't get updated until the 2nd request after logging out
in facebook, so what you're seeing is normal. You can verify that the
user is still logged in if you try accessing the rest api, so if you
want the logged-in status to be updated immediately after logging out
of facebook, you have to:

- call facebook_session.user in your controller on each request
- rescue Facebooker::Session::SessionExpired to catch the case where
the user logged out directly through facebook.

That's what I meant by the performance hit, i had just forgotten why
it was necessary. The tradeoff is an api call on every request vs.
having real-time logged in status (but this only applies to people who
may have logged out of facebook on the facebook home page)

Jordan Ritter

unread,
Nov 20, 2009, 8:13:11 PM11/20/09
to faceb...@googlegroups.com
FWIW, I posted some code a while back for the "hit FB on every request to guarantee session" solution:

http://groups.google.com/group/facebooker/msg/a550a1568980ebcb.

The rescue_from only protects you from that exception in the controller method itself -- this still leaves you open to before_filters and view/template rendering (which rescue_from is worthless for). So you also have to wrap the facebooker before_filter itself with exception handling.

cheers,
--jordan
> --
>
> You received this message because you are subscribed to the Google Groups "facebooker" group.
> To post to this group, send email to faceb...@googlegroups.com.
> To unsubscribe from this group, send email to facebooker+...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/facebooker?hl=.
>
>

Mattias

unread,
Dec 5, 2009, 8:51:22 AM12/5/09
to facebooker
Thanks to all of you, i'll have a look at it.
Reply all
Reply to author
Forward
0 new messages