Getting the facebook session at the server side if we login using JS SDK

Question

Friends,

I have set up a facebook login for my website using JS SDK.

1. If the use is logged in through JS SDK, should we cross verify whether the session is valid in the server side also as client side can easily be fabricated.

2. Since I use JS SDK, server will not have access to the facebook session. If I need to verify the session at the server end, can i use php-sdk adn extern the session like it is specified in https://developers.facebook.com/docs/reference/php/ ? In this case I need to enable CURL PHP extension to get this running and worried if performance will go down when using php sdk.

Could you please help me in finding answers for the above queries?

Answer 1

The php sdk and the javascript are the completely opposite, of what Julian H. Lam said, in fact they were build to be used together.

On the php sdk documentation you can find this:

Integration with the Facebook SDK for JavaScript

Used in conjunction with the Facebook SDK for JavaScript, the PHP SDK can share user sessions seamlessly across the client and server. If a user is logged in with Facebook and has authorized your app, the JavaScript SDK can pick up the user session persist this in a cookie which, which the PHP SDK reads without any intervention on the developer's part.

To enable this functionality, ensure that when you embed and initialise the JS SDK, you set both the status and the cookie parameters of the object passed to FB.init() to true.

And by using basic logic this makes all sense, on the client side you can create listeners to retrieve user status(if he's logged in, if he has granted permissions, if he has logout), doing this kind of actions on the server side doesn't make any sense at all.

So my advice for you is to use Javascript SDK to handle user events, like the ones I mentioned before, and to handle the responses from the actions of the users, like when the user does a like, or shares a post using the feed dialogue, etc. With the php SDK you just check if you have a valid user, since you're sharing the same cookie for the client side and for the server side after you handle the login proccess with the javascript SDK, if you do this $fb_id = $facebook->getUser() (after initializing the PHP SDK of course), you'll get the user facebook id, now that you know you have a valid user, you can use the PHP SDK to query information about the user, post on user behalf, etc.

Here's an example of a proper loading of the javascript SDK with cookie support:

<div id="fb-root"></div>
<script>
  window.fbAsyncInit = function() {
    // init the FB JS SDK
    FB.init({
      appId      : 'YOUR_APP_ID',                        // App ID from the app dashboard
      channelUrl : '//WWW.YOUR_DOMAIN.COM/channel.html', // Channel file for x-domain comms
      status     : true,                                 // Check Facebook Login status
      xfbml      : true,                                  // Look for social plugins on the page
      cookie     : true
    });

    // Additional initialization code such as adding Event Listeners goes here
  };

  // Load the SDK asynchronously
  (function(d, s, id){
     var js, fjs = d.getElementsByTagName(s)[0];
     if (d.getElementById(id)) {return;}
     js = d.createElement(s); js.id = id;
     js.src = "//connect.facebook.net/en_US/all.js";
     fjs.parentNode.insertBefore(js, fjs);
   }(document, 'script', 'facebook-jssdk'));
</script>

And this is a simple code on the server side just to enlighten you:

require_once("facebook.php");

$config = array();
$config[‘appId’] = 'YOUR_APP_ID';
$config[‘secret’] = 'YOUR_APP_SECRET';
$config[‘fileUpload’] = false; // optional

$facebook = new Facebook($config);
try {
    $user_profile = $facebook->api('/me','GET');
    $user_name = $user_profile['name'];
    $user_email = $user_profile['email'];

} catch(FacebookApiException $e) {
    // If the user is logged out, you can have a 
    // user ID even though the access token is invalid.
    // In this case, we'll get an exception, so we'll
    // just ask the user to login again here.
}

PS: this server side code, only works if the user has already granted permissions with the scope email

Answer 2

There are two parts to this question: Firstly, there is a difference in the UI flow. See: https://developers.facebook.com/docs/concepts/login/login-architecture/

1) Browser side with JS SDK. You start off with oauth 2.0 dialog, obtaining the Access Token and then using this to access the Facebook API.

2) Server side uses signed_request posted to the server. With this, you can extract the user_id. See: https://developers.facebook.com/docs/howtos/login/signed-request/ -

Step 1 - describe the signed_request, how you can obtain it from PHP or JS SDK

Step 2 - how to verify that the signed_request is not fabricated.

Oauth token from other providers can be integrated with FB. See my Dropbox example: apps.facebook.com/fileglu/ - circa Sept 2011, also check out the technical section for implementation details, including CSRF, CORS and avoiding javascript cryptography.

Answer 3

The Facebook javascript library and the php SDK can essentially be considered two entities that do not talk to one another, as one is client-side, and the other is server-side.

The php SDK gives you greater fine-grained control over a user's login session, while the javascript library is easier to get started.

Typically, a user logged in via the javascript library is not automatically logged in on the server side, although in some cases, it may be possible to send the access token from client to server side. It is not advised, however, as this data can be intercepted.

This related question talks about sending the access token (as retrieved from the JS library) to the server side.

In essence:

FB.login(function(response) {
    var access_token = response.authResponse.accessToken;

    // Make an ajax call here to your server-side, and send access_token in.
});