Facebook PHP SDK getUser() method returning uid even after unauthorizing application from facebook

Question

I'm writing a web app that uses facebook's PHP SDK. I'm using the getUser() method to authenticate users similar to this:

    $user = $this->facebook->getUser();
    $loginUrl = $this->facebook->getLoginUrl(array(
        'scope' => 'email,publish_stream',
        'redirect_uri' => base_url() . 'index.php/welcome/create'
    ));;

    if(!$user){
        /*
         * User not authenticated, present with facebook authorize dialog
         * */
        echo "<script type='text/javascript'>window.location = '$loginUrl';</script>";
        die();

What I don't understand is why getUser() continues to return my facebook uid even after I've removed the app from my facbeook privacy settings in facebook. Anyone know why?

Answer 1

This is because the user id is still in the session!

This is mainly causing an error when making calls with the me object (active access token is needed, or something like that).

One way to over come this would be:

try {
    $user_profile = $this->facebook->api('/me');
} catch (FacebookApiException $e) {
    error_log($e);
    $user = null;
    if(DESIRED_ERR_NUM && session_id()) {
        session_destroy(); // OR UNSET FB RELATED VARS ONLY
    }
    echo '<script>top.location.href = "' .  $this->facebook->getLoginUrl(array("scope"=>"publish_stream,user_about_me","redirect_uri"=>"YOUR_URL_HERE")) . '"</script>';
    exit;
}

This is NOT a working code, you need to check the error number AND if you have a session then destroy it OR just unset Facebook related vars in it.

You can check if this is true by executing:

if(session_id()) {
    session_destroy();
}

(please note that this will destroy EVERYTHING in the session not only Facebook related stuff!)

As I said this is not a working code but hopefully it will get you started (this can definitely be enhanced, pushed to the Facebook class..etc).

Answer 2

The implementation of their website is not in sync with the development of their API. It's two separate lines of development. So they have quite a bit of developers working on the website portion, and people working on the SDK, and so either something wasn't properly communicated to both teams or incorrect implementation of defined requirements from one of the teams. Or simply a change in requirements that effected one team but not the other.

This is also troubling, because this can be a means to access private data via the API that may have been disallowed by the user via the website.

Answer 3

Unfortunately ifaour's solution did not work for me. I added an additional function within the NativeFacebook class:

public function clearSessionData() {
    $this->setAccessToken(null);
    $this->user = 0;
    $this->clearAllPersistentData();
}

For simplicity's sake, you can just keep it a public function. Then in your catch statement, you can add

$this->facebook->clearSessionData();

to ensure all traces of previous connected Facebook account data are removed.

Answer 4

you can try this:

Written by Umer Pasha:

Facebook getUser() function returning user ID after logout

The problem seems to be in php-sdk in basefacebook.php at line 567

     protected function getSignedRequestCookieName() {
     return 'fbsr'.$this->getAppId();}

This method returns the name of the cookie the sdk is looking for. However, javascript-sdk uses 'fbsr_' prefix. Change this to 'fbs_' and it works fine.

Answer 5

Old thread, but somebody may still check it.

In the PHP-SDK v3.2.2 there is a public method for this: destroySession() . This will not destroy your $_SESSION just clear all the cached data that the class has collected. its in the base_facebook.php