Connect: Session logout without Facebook logout

[dgrabla]

Hi,

I want the users to logout from the app, without needing to logout from Facebook first. In another way, in doesn't matter if the user is logged on Facebook, the app will not do the Auth->login() unless the user clicks on the login to Facebook button.

First let's say that if the Facebook plugin is deactivated, the application works without issues. Users can be created, login and logout. Only when I activate the plugin the problems arise. Can this plugin coexist with CakePHP Auth for users that want to use the site without Facebook Connect?

The normal Facebook->logout() function calls the logout() javascript function from Facebook, which destroy the Facebook session altogether. The user is logout from the App (Because the users->logout() is also called) and from Facebook, but the moment the user logins in Facebook again, he is logged in the App as well.

I tried an alternative method, doing a Session->destroy() and then deleting (putting the expiration date of the cookies in the past) all the cookies (My app session cookie + several facebook cookies). This doesn't work very well because if I refresh the page a couple of times, eventually the Facebook javascript code regenerates his cookie and then the user is automatically logged in the APP.

I tried using noAuth: 'Facebook.Connect' => array('model' => 'User','createUser'=>false, 'noAuth' => true ), Then when a user logins with Facebook, the plugin sets a PHPSESSID cookie. This PHPSESSID cookie is different to the cookie that my app sets (my cookie has another name). It is like if a session is created and the user is login, but the Session->read(Auth.User) is emtpy. I could not find where in the plugin this cookie is set.

I tried commenting out the session_start() of the Vendor/Facebook.php. This allows me to create users that login with facebook, but the users cannot login afterwards. I don't want to change code in the Facebook SDK anyway.

So the question is, how can I config the plugin to be able to create and login users via the CakePhp Auth and the Facebook Connect? How can I do a logout from my app without kicking the user out of Facebook?

Best regards, David

[petehare]

I'm trying to figure this out as well, any help/answers on the matter would be appreciated!

[davidluuAU]

I have what I believe is a related issue where a user is logged into my web app without Facebook Connect. Then on the same browser the user logs into Facebook. The facebook_id is then written to the user on my web app without going through the Facebook login process on the web app.

[andreirebe]

I need the answer to this question too. I would really appreciate it. Thank you.

[petehare]

@andreirebe I ended up just writing my FB integration from scratch using the Facebook PHP SDK. It ended up working quite well after a fair amount of head scratching.

[andreirebe]

@petehare ar you suggesting that I should do the same? What happens when I have to update it and I do not have the time? Have you thought making a repository with it or share it elsewhere?

[petehare]

@andreirebe It's pretty hard baked into my app, unfortunately I don't have time right now to make it into a module.

[Gerifield]

I found a solution! (I took hours, but it worth!)

My UsersController:

    public function logout(){
        $this->Session->destroy();
        return $this->redirect($this->Auth->logout());
    }

And I modified the the FacebookHelper.php (facebook/View/Helper/FacebookHelper.php) a bit. In the disconnect function I changed the FB.api call, the result:

$onclick = "FB.api({ method: 'Auth.revokeAuthorization' }, function(response) { FB.getLoginStatus(function(response) { ".$response." }); });";

This'll "reload" the login status data before the relocation to the logout page/controller.

You can then use this stuff for the logout:

echo $this->Facebook->disconnect(array('label' => 'Logout', 'redirect' => array('controller' => 'users', 'action' => 'logout')));

[andreirebe]

@Gerifield The problem to your solution is that whenever a users uses the logout function the authorization for the website is deleted.

[Gerifield]

@andreirebe: I know, but at least it works.