How to get the best performance from facebook canvas authentication

Question

Facebook document that you need to do the following for canvas login

1. Include facebook library
2. Instantiate class with App Id and secret

3. Check that the user has a valid session

   If they do check also that you can get there user object by doing an api call /me

   If they dont then process the login redirect

All this especially the Facebook calls can take quite some time to process

The example shows this in terms of code http://github.com/facebook/php-sdk/blob/master/examples/example.php

And from what I read it seems required on every page. Because a user can logout / remove app / change permissions etc during the session

My question is what is the ideal way of doing the above in terms of performance gains, but still making sure that it conforms to the nuiances of facebook.

Facebook do give a session expire time which seems to be in GMT.

I code in PHP using the Zend Framework but I suppose the above relates to all languages.

Appreciate your help on this

Answer 1

Ian, store your user facebook credentials in the user related table (or whatever)

facebook_user_id facebook_secret facebook_token

make it come out like something like:

$user->facebook_session_array();

Then just pass that into your api class when you want to reuse it. There is nothing you can do to make the oauth process (on authentication) go any faster because it has to happen live.

Cache the living daylights out of anything and everything you bring back from facebook.. run some crons in the background to either insert that stuff to table or stamp it down on a drive. Your cron script should be able to handle potential rate limitations. I wrote some, but facebook is so slow, I think it was pointless.

Facebook is slow.. don't make your app wait for it in any way you can avoid it.

Answer 2

first of all you'll have to authorize a user via facebook api, if you like to work with data of this user. As a result of a successful authentication your application will receive an access_token and a expire_time. The value of expire time is expressed in seconds, not a timestamp in GMT.

Your application has the permission, to store the access_token and expire_time within it's own session handling, eg You'll need the access_token to make requests on behalf of the user to the facebook api. With the expire_time value (and the time you authorized the user) you can check the validity of your access_token before calling fb API methods... and in case it expired, you should reauthenticate.

You definitly do NOT need to reauthenticate on every page reload of that user.

If the user changes something on facebook (eg, removes your application) then a call to the api might fail with an "OAuthException" error. Your application should be aware of such errors and handle them appropriate.