Facebook getUser() function returning user ID after logout

15
votes

I'm developing using the Facebook PHP SDK.

I wanted to make it so that when the user logs out of Facebook, they will automatically be logged out of my website too.

I am using the following code to detect the session, using the session cookie:

$facebook->getUser();

For some reason, the getUser() function still returns the user's Facebook ID, even after they have logged out of Facebook on their website.

Am I to detect the session first using another Function?

On the official documentation example here, is the following excerpt from their comments:

// Get User ID
$user = $facebook->getUser();

// We may or may not have this data based on whether the user is logged in.
//
// If we have a $user id here, it means we know the user is logged into
// Facebook, but we don't know if the access token is valid. An access
// token is invalid if the user logged out of Facebook.

This lead me to believe that the session cookie for Facebook would become unset upon Facebook logout?

Kind Regards,

Luke

5
facebookfacebook-php-sdk

5 Answers

12
votes

I have the same issue!

The FB PHP SDK saves those things into the $_SESSION! You can delete them like this when your user clicks logout:

$_SESSION['fb_'.APP_ID.'_user_id'] = '';
$_SESSION['fb_'.APP_ID.'_access_token'] = '';

Although this is not the final solution, it works for now.

I appreciate comments and solutions on that!

3
votes

I want to give an alternative, in a way you don't have to handle session stuff. Although, I must warn you this is slower than cleaning up the session, because it relies on a new request. What we're doing in the code below is to check on Facebook if the token is still valid. Here it's:

try {
    $facebook->api('/me','GET');
    $logged = true;
} catch(FacebookApiException $e) {
    $logged = false;
}

In my case, I was doing everything using the JavaScript SDK, so I couldn't clean session on logout. But in my landing page, I was needing a work around to check it before send the response back.

If you're facing something like this, definitely a good solution.

2
votes

The problem seems to be in php-sdk in basefacebook.php at line 567

         protected function getSignedRequestCookieName() {
         return 'fbsr'.$this->getAppId();}

This method returns the name of the cookie the sdk is looking for. However, javascript-sdk uses 'fbs_' prefix. Change this to 'fbs_' and it works fine.

return 'fbs'.$this->getAppId();}
1
votes
$facebook->destroySession();
0
votes

To destroy the session you can also use: $facebook->destroySession();