[Facebooker-talk] Fwd: [rfacebook] Re: How exactly are session cookies supposed to work? Will ensure_authenticated use them?

kevin lochner klochner at gmail.com
Fri Jan 23 13:08:16 EST 2009 

See below for a message I picked this up on the rfacebook google group  
mailing list.

I'm concerned with whether session_already_secured? is an accurate  
indicator
of facebook connection status.    Bear with me while I step through  
the logic, where
I've included just the meat of the functions below:

session_already_secured?
 > (@facebook_session = session[:facebook_session]) &&  
session[:facebook_session].secured? if valid_session_key_in_session?

session.secured?
 >  !@session_key.nil? && !expired?

valid_session_key_in_session?
  >  !session[:facebook_session].blank? &&
  >  (params[:fb_sig_session_key].blank? ||  
session[:facebook_session].session_key == facebook_params[:session_key])

The problem for connect is if the following sequence happens:
    - user comes to your site and logs in via facebook,
    - user goes to facebook in another browser tab and logs out
    - user returns to your site

The connect app will have the following state:
   - session[:facebook_session]
   - @session_key && !expired?
   - params[:fb_sig_session_key].blank?

So they're technically still logged in and your app will throw an  
exception when trying to access user info.

One solution for a pure connect app is that the session is invalid if  
the cookies aren't present.  They don't
need to be verified on each request, but they should be checked for  
existence.

I don't know the best way to handle this because I don't know what  
would cause the params[:fb_sig_session_key]
to be blank in non-connect apps while the user is still logged in.   
Can someone fill me in?

- kevin


Begin forwarded message:

> From: Aaron Nemoyten <swivelmaster at gmail.com>
> Date: January 21, 2009 6:23:51 PM EST
> To: All Things Facebook and Ruby <rfacebook at googlegroups.com>
> Subject: [rfacebook] Re: How exactly are session cookies supposed to  
> work? Will  ensure_authenticated use them?
> Reply-To: rfacebook at googlegroups.com
>
>
> Well, I've got an update yet again!
>
> Seems that it's possible that new sessions aren't created when they
> should be sometimes because of the order that Facebooker checks for
> valid session info.
>
> If you check out ensure_authenticated_to_facebook, you'll see this:
> def set_facebook_session
>        returning session_set = session_already_secured? ||
> secure_with_facebook_params! || secure_with_cookies! ||
> secure_with_token!
> (etc.)
>
> Grabbing the old session if there is new session info available from
> the facebook_params seems to cause some problems, as well as trying to
> secure with cookies if there's an auth token available (usually
> involving my Safari iframe fix - we can pop out of the iframe with the
> auth token but no params, and Facebooker will grab the old cookie,
> thus rendering the iframe fix potentially useless.
>
> So my preferred order is params, session, auth token, cookies.
>
> Another issue I ran into (which may not be relevant since I moved the
> cookie auth method last) is that cookies from invalid sessions will
> make Facebooker throw an error when all I'd really want to do is just
> ignore them and make a new session, so I rescued secure_with_cookies!
> for Facebooker::Session::IncorrectSignature and just returned false.
>
> Not sure if I mentioned this before, but it's also necessary to modify
> request_comes_from_facebook? to make sure it doesn't incorrectly
> return false because it's looking for canvas-specific parameters.
>
> This seems to have fixed some problems for now.
>
> -Aaron
>
>
>
>
> On Jan 19, 12:56 am, PanosJee <pap... at freemail.gr> wrote:
>> Aaron your posts are highly appreciated, keep up
>> We also hope to post a few hints, unfortunately IFrames are badly
>> supported though they are superior technology compared to the limited
>> plain FBML apps
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google  
> Groups "All Things Facebook and Ruby" group.
> To post to this group, send email to rfacebook at googlegroups.com
> To unsubscribe from this group, send email to rfacebook+unsubscribe at googlegroups.com
> For more options, visit this group at http://groups.google.com/group/rfacebook?hl=en
> -~----------~----~----~----~------~----~------~--~---
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090123/7cc8b26a/attachment.html>

More information about the Facebooker-talk mailing list