Whether auth_getSession produces a session secret shouldn't depend on whether _isDesktop is set

[GoogleCodeExporter]

As described in http://code.google.com/p/facebook-java-api/wiki/DesktopMode
, the server that is generating the secret session shouldn't be set in
desktop mode. It's only the desktop client itself that receives and uses
the secret session that should be marking itself as "Desktop mode". By
marking itself as Desktop, it will be notifying the API to expect failures
when calling some methods and allowing the API to handle these scenarios
smoothly. That's the only reason to bother to setIsDesktop(true).

Changes to be made:
  * Create a new version of auth_getSession(authToken, boolean
generateSecretSession) [note the additional boolean].
  * Default behaviour of normal auth_getSession(authToken) is just to call
with generateSecretSession = false.
  * Modify auth_getSession to not pay any attention to _isDesktop flag.

So, this requires a workflow change for users who are really trying to
generate secret session tokens. They'll have to change to using
auth_getSession(token, true) and not bother setting _isDesktop to true. A
such, the Javadoc needs to be improved considerably to explain this and it
needs to go on some release notes.

The server can use getCacheSessionSecret() to get hold of the session
secret key.

In summary, this means no changes for normal (web) API users and minor
changes for people trying to generate a desktop session secret. These
changes will clarify what the purpose of setIsDesktop() is and will reduce
confusion considerably. So, it's worth making the change...

Original issue reported on code.google.com by david.j....@googlemail.com on 12 Mar 2009 at 11:18

[GoogleCodeExporter]

I have a feeling, that we should just get rid of isDesktop().  If it's just 
there for
early-failure.  I would much rather send the request to facebook ( since their
policies change all the time, let them send an exception ).  It would make our 
life
much easier.

I am even leaning towards removing SessionSecret... sort-of.  Since really all 
we
need is the "CurrentSecret", we don't care how we got it.  If we got it through
auth_getSession, or through a config file. :)

Just wondering if storing how we got the sessionSecret, and storing the original
sessionSecret might be useful later.. but I think for most things, it's not.

Less things to confuse us and users in the long run.  Ideas?

Original comment by fern...@gmail.com on 12 Mar 2009 at 3:50

[GoogleCodeExporter]

Note: We can automatically detect whether we have a "session secret" vs. a 
normal
secret because session secrets all end in 2 underscores __

Original comment by david.j....@googlemail.com on 18 Mar 2009 at 9:16

[GoogleCodeExporter]

I won't be doing any checkins on this one for a long time anyway... The 
functionality
doesn't work as documented.
http://forum.developers.facebook.com/viewtopic.php?pid=132736

Original comment by david.j....@googlemail.com on 18 Mar 2009 at 9:18

[GoogleCodeExporter]

Finally fixed by working out that you have to specifically set the application 
to
desktop mode before it will understand session secrets.

http://code.google.com/p/facebook-java-api/wiki/DesktopMode

Note that I've removed the setIsDesktop(boolean) method. This was misleading.
Instead, use auth_getSession( true ) to tell the client to generate a session 
secret
for you.

Original comment by david.j....@googlemail.com on 26 Mar 2009 at 10:52

[GoogleCodeExporter]

Original comment by david.j....@googlemail.com on 26 Mar 2009 at 10:52

• Changed state: Fixed

[GoogleCodeExporter]

very nice!  It works great

Original comment by mclaughl...@gmail.com on 30 Apr 2009 at 4:12