How should I handle a user logging out of Facebook but remaining logged in on my website?

Question

The way I have set it up is that when the user first visits the site, it will ask them to login with Facebook. It gets an access token and creates a session on my site.

If at any point the user logs out of facebook, say in another tab, the session will still exists within in my application.

The only way I can see to detect if the user is still logged into Facebook is re-requesting an access token as there doesnt seem to be a way to check if an existing access token is still valid.

I did try simply doing:

file_get_contents('https://graph.facebook.com/me?access_token=xxx')

but, since the token is no longer valid (as the user has logged out), file_get_contents returns an error, although, viewing this in the browser shows the oauth exception but im assuming file_get_contents is erroring because of the HTTP response code

Answer 1

You could do something like this I think:

@$data=file_get_contents('https://graph.facebook.com/me?access_token=xxx');
foreach ($http_response_header as $rh) if (substr($rh, 0, 4)=='HTTP') list(,$status,)=explode(' ', $rh, 3);
if ($status==200 && $data)
    //Token is good, parse data
else
    //Token is no good

Answer 2

There are a lot of questions in here .. i would just share some insight:

1. If a user logs out FB in 1 tab of a browser he will be logged out of all tabs

2. If an FB application has asked for a user's permissions like offline_acess they can show them any relevant content they want to if they have maintained some sore of fb id and their own id mapping .. the access_token shall be needed for fetching any information ofcourse

3. access_token remains valid if you have not explicitly asked for an access_token with expiry date ..

4. access_token changes if the user changes any FB credentials. which a FB app cannot detect