Differentiate a not-logged-in Facebook user vs. a logged-in Facebook user but not authorize our application yet

Question

I have some troubles when using javascript code for Facebook invite friends. Details:

1. User Facebook A already authorized our web application, and give us the permission to offline-access their access tokens.

2. User A logged in into our web. The system detect that A synchronized his account (on our web) with Facebook, so it retrieve A's information from Facebook.

3. In the same browser , A open a new tab, and log out of Facebook.

4. A user B borrows A computer , and then logged in Facebook but with his account: user Facebook B.

5. He move to our web (the tab that A already opened), and click "Invite friends". The list show all the friends of user B, not user A .

This scenario (though very rarely happens), troubled our group testers, because it may causes un-expected behavior for our web application (a user may think he synchronize the wrong Facebook account).

To stop that case, I want to differentiate who is currently logged-in Facebook (user B), with the user has authorized our application (user A). Currently I'm checking like this:

function showInvitationDialog() {

            FB.init({ 
                    appId:'${appId}', 
                    cookie: false, 
                    status: true, 
                    xfbml: true 
                });

            FB.getLoginStatus(function (response) {
                if (response.session) {
                    if (response.session.uid != ${fbId}) {
                        alert("You are currently logged in to FB with another account (different to the account you registered). Please make sure that you don't accidently use others FB account to invite");
                        return;
                    }
                }

                var request_ids = FB.ui({ method: 'apprequests',
                                    message: '<@spring.message code="friends.invitation.message" />',
                                    data: 'hello'});
            });
    }

The above code works for most case, but it have a problem:

1. If user X is logged in Facebook user X', and he authorize our app already: response.session.uid = X_FacebookId -> ok, we know who he is
2. If user X is not logged to Facebook, response.session == undefined
3. If user X is logged in with Facebook user X', and he hasn't auhthorized our application yet, response.session == undefined

So I can not differentiate the case 2 vs case 3. In both case, the results from getLoginStatus is the same, but I want to solve it differently:

• case 2 -> continue to call the function to let "Login dialog" popup
• case 3 -> informs the user that he has logged into the wrong Facebook account.

Is there any solution for this situation? Any idea will be greatly appreciated.

Answer 1

getLoginStatus() returns a Json object which is like :

{
    status: one of 'not_authorized' / 'connected' / 'unknown'
    authResponse: ....
}

not_authorized means they are logged into facebook but haven't authorized your app, connected means they have authorized the app, unknown means they are not logged into facebook.

(from memory so might not be exact)

Also, you might want to consider listening for auth events, which might make this problem easier. http://developers.facebook.com/docs/reference/javascript/FB.Event.subscribe/