Facebook Login/Logout Best Practices

3
votes

I am implementing Facebook Login (for the web) for the first time and I had some questions regarding the users session and and the best practices for handling logout. Right now, I am using a combination of the JS SDK (only for login flow if js is enabled) and PHP SDK.

Question 1: Should I save the Facebook access token in a PHP session or use the built in "cookies: true" feature in the SDK.

Question 2: If a user that signed up via Facebook returns to the site after a few days, should they be auto logged in, or have to click a login via Facebook button, then just be logged in?

Question 3: If a FB logged in user logs out of my site, should I log them out of Facebook or just my site?

Question 4: If a FB logged in user logs out of Facebook while also on my site (different tab) should I automatically log them out of my site?

2
facebookfacebook-javascript-sdkfacebook-php-sdkfacebook-login
As for question #3: Per Platform Policies you are required to offer the user a logout button/link that logs them out of facebook.com at the same time. As for the rest – start here: developers.facebook.com/docs/facebook-login/checklist - CBroe
@CBroe About #3: Really? I can't find anything about that in their policies. Could you share a link if you know this exists? - Jonas Äppelgran
@Jonas: Well, that comment was from quite a while ago. Now that document redirects here, developers.facebook.com/docs/facebook-login/…, and the phrasing has changed a bit: "Once people are logged in, you should also give them a way to log out, disconnect their account, or delete it all together." - CBroe
@CBroe OK. I found some clarification now, not in the policies but in the reference docs, see my answer below. - Jonas Äppelgran

2 Answers

0
votes

1) You can save the access token in a database (but be wary of the expiry date) or save it in a session. Cookies would be the easiest way to manage this and takes care of (2).

2) Depending on how your handle the sessions and the SDK you use, the use would automatically be logged in (e.g. JavaScript method FB.getLoginStatus() to detect if the app has already been authed). You should have a "Login with Facebook" button on your app in any case, for new users.

3) If you use the logout methods in the SDK (e.g. FB.logout() in JavaScript SDK), the user will be logged out of both your site and Facebook. This really depends on how you want to handle this. You can log them out if your site by deleting the session / cookie.

4) You should alway check to see if the user is logged in whenever an action is taken on your site. If the user logs out of Facebook while on your site, eventually, your site should pick it up (using FB.getLoginStatus()) and ask them to login again.

0
votes

3) Facebook will decide if a user should be logged out of Facebook also or only your site/app, at least when using the JS SDK. From their docs, see link for some case examples:

"The method FB.logout() logs the user out of your site and, in some cases, Facebook." - Facebook docs