Facebook PHP SDK – how do I know if $facebook->getUser() is the user I need?

Question

This is quite tricky to explain in just a few words, so let me be a bit more precise.

I have a website that optionally connects to facebook to offer more features. For these features, the site fetches some information through the graph api : basic profile + friends.

Some users connect directly with Facebook while some others connect in a more classic way with their login/password.

For those who connect with their login and password, and want to connect their account to facebook, I proceed the usual way with the php SDK. Adapted from facebook's github :

// Get User ID
$user = $facebook->getUser();

// We may or may not have this data based on whether the user is logged in.
//
// If we have a $user id here, it means we know the user is logged into
// Facebook, but we don't know if the access token is valid. An access
// token is invalid if the user logged out of Facebook.

if ($user) 
{
  try 
  {
    // Proceed knowing you have a logged in user who's authenticated.
    $user_profile = $facebook->api('/me');
    $user_friends = $facebook->api('/me/friends');
  } 

  catch (FacebookApiException $e) 
  {
    error_log($e);
    $user = null;
  }
}

else
{
    header('Location:'.$facebook->getLoginUrl());
}

The problem is, if a user connects from a friend's device, chances are that the browser is connected to his friend's facebook, and not to my user's. Or there might be no connected user to facebook at all.

Hence, $facebook->getLoginUrl() won't connect to my user's facebook, but to his friend's. It's quite annoying because it will popup the autorization dialog if his friend has never connected to my app…

Alternatively, if there was no connected user, it starts by asking to connect to one's facebook account.

In both cases, I would rather not connect to Facebook through the loginUrl and use a token (stored in database) to access the required datas. Nevertheless, these tokens last 60 days only, so each time the user can connect through the loginUrl, it's better because it refreshes the token expiry date.

At last, my question is: is it possible to know a user's id before redirecting to the loginUrl, or to know if no user is connected to facebook at all?

Or is there any other solution that could avoid to prompt the auth dialog?

Answer 1

since your using a 3rd party login system i would say your not really dealing with sensitive information. more than likely your dealing with some sort of community networking. i wouldn't worry about the issue your facing to much because if a user didnt want someone to see there sensitive information they would sign out of facebook. though a solution you could do would be to clear facebook cookies and force the website to sign them out. but your user might not like that. sooo you could do this..

>>clear face book cookies
>>ask login info
>>relog into facebook

relogging into face book might be a little tricky but im sure you can figure it out.

to finalize your question on is it possible to know a users id before redirecting to the login url, the answer is yes. just check for the facebook cookies and decode them if they are encoded.