[Facebooker-talk] Fwd: [rfacebook] Re: How exactly are session cookies supposed to work? Will ensure_authenticated use them?

kevin lochner klochner at gmail.com
Mon Jan 26 12:06:44 EST 2009 

hey vince -

I'm with you now, see below.   Comments appreciated from anyone
as I think there are tradeoffs to be considered in how we approach this.


> 0) User is initially logged out of facebook.com
>
>
> 1) User clicks on the login button and inputs his credentials. He's
> logged in correctly to the rails app (rails view successfully reports
> that the user is "logged in as so and so"). Cookies are placed in the
> user's browser with a valid session_key, etc..
>
> 2) User goes to facebook.com and he's logged in. He then clicks
> 'logout' on facebook.com
>
> 3) User reloads the fb_connect/index view and throws an "Session key
> invalid or no longer valid" exception. Cookies stick around.
>
> From my understanding of the code, this is what seems to be happening:
>
> - Cookies are placed at step #1. Logging out of facebook.com at step
> #2 expires the session_key stored in the cookies. However, logging out
> doesn't delete them (should it?).
>

The cookies will be cleared on the 2nd request after the user logs out
of facebook, which is a little late to avoid throwing an exception if  
you're
invoking the rest api, but this is going to be a relatively rare  
occurrence,
so I'd rather avoid forcing an extra ping of facebook on every request.

> - Because the cookies weren't deleted, they hang out until the next
> reload. Upon reloading the fb_connect/index view, they're scooped up
> and used to parameterize a facebook_session. Or, if the reload has
> happened within a short enough period, the facebook_session stored in
> the user's session variable is used.
>

We're not going to save cookie-based session information in the  
session hash
anymore, remove the last line from secure_with_cookies!   
(session[:fb_session] = @session)

> - In either case, facebooker doesn't explicitly check that the
> facebook_session created from cookies or the session is valid. Hence
> the next reload of the view will throw an exception.

I don't like forcing an extra POST to facebook on every page request  
just to make sure the
user hasn't logged out of fb elsewhere.   I timed them at between .25  
and .5 seconds a pop.
Also note that we'd be forcing an extra post for all canvas apps even  
though they don't
have the invalid cookie problem.

If you're using fb connect only as a secondary login credential,  you  
may never throw an
exception anyway, and the cookies will pick up state within a couple  
of requests (or
the session key can expire based on time before they send another  
request).

we could add a test_facebook_session method that  you can call in
any controllers that use the facebook rest api and were secured with  
cookies, but
I'd prefer the following in facebooker/.../controller.rb:

 >  def self.included(controller)
 >  ...
 >   controller.rescue_from Facebooker::Session::SessionExpired, :with  
=> :session_expired
 >  end

 >  def session_expired
 >      clear_fb_cookies!
 >      clear_facebook_session_information
 >      flash[:error] = "Your facebook session has expired."
 >      redirect_to "/"
 >  end

note that with this approach you will have to explicitly pre-load data  
in the
controller rather than invoking the facebook rest api in the view  
(which is
what you did in your example).

  - kevin


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090126/22708354/attachment.html>

More information about the Facebooker-talk mailing list