I'm using Facebook's PHP SDK to log users in to my website, like so:
<?php
$facebook = new Facebook(array(
"appId" => "myAppID",
"secret" => "mySecret",
));
$user = $facebook->getUser();
if ($user) {
try {
// user is authenticated
$user_profile = $facebook->api("/me");
} catch (FacebookApiException $ex) {
$user = null;
}
}
if ($user) {
$logoutURL = $facebook->getLogoutUrl();
?>
<img src="https://graph.facebook.com/<?php echo $user; ?>/picture" />
<a href="<?php echo($logoutURL); ?>">Logout</a>
<pre><?php print_r($user_profile); ?></pre>
<?php
} else {
?>
<a href="<?php echo($loginURL); ?>">Login</a>
<?php
}
?>
The problem is that when a user returns to the site, they're no longer logged in, and have to log back in.
Is it possible for returning users to remain logged in?
Update:
My exact solution ended up being a combination of the JavaScript and PHP Facebook SDKs.
The problem is that a cookie isn't used to store the Facebook login information—a PHP session is (PHP session cookies expires when the browser is closed). In addition to this, unless you have offline access, the access tokens expire. In other words, even if you were to store the Facebook access token in a cookie, it would eventually expire and the user would be logged out.
The JavaScript I ended up using:
FB.init({
appId: "myAppID",
cookie: true, // enable cookies to allow the server to access the session
xfbml: true, // parse XFBML
oauth: true // enable OAuth 2.0
});
FB.Event.subscribe("auth.login", function(response) {
// a user logged in who was not previously logged in
window.location.refresh(true); // ideally modify the page with JS rather than refreshing
});
FB.Event.subscribe("auth.logout", function(response) {
// a user logged out who was previously logged in
window.location.refresh(true); // ideally modify the page with JS rather than refreshing
});
// check if the user is logged in or not, using the Facebook JS SDK
FB.getLoginStatus(null);
When the page is loaded, the Facebook JavaScript SDK checks with Facebook to see if the user is logged in. If the user is logged in, and the cookie isn't already set, it will be set. You can then refresh the page (or, ideally, modify it with JavaScript) and the server will be able to access the cookie using the regular PHP SDK (and the first piece of code in this question).
This is the best way I've found for persistent logins across browsing sessions.