Can I store Facebook access token and use it later?

Question

I am building a web app (PHP) that uses FB connect. I successfully register / sign in user with the help of the PHP lib provided by facebook. Also I can post to wall, using this code

        Facebook::$CURL_OPTS[CURLOPT_SSL_VERIFYPEER] = false;
    Facebook::$CURL_OPTS[CURLOPT_SSL_VERIFYHOST] = 2;               
    $facebook = new Facebook(array(
      'appId'  => $fb_key,
      'secret' => $fb_secret,
      'cookie' => true, // enable optional cookie support
    ));
    $session = $facebook->getSession();
    if ($session)
    {
        $facebook->api('/me/feed', 'POST', array('message'=>$message, 'link'=>$link['href'], 'name'=>$link['text']));                   
    }

However, if I manually go to my browser's cookie manager and delete the cookie that stores FB session, the code doesn't work. The only thing I have is user's FB ID which I store in DB. Is there any way to post to user's wall even if FB sessions is lost? Does it make sense to store user's FB access token in DB to post to wall later or is the access token relatively short-lived?

Here's an example situation that might happen in my app: user clicks fb button, authorizes my app, gets redirected back to my site where I automatically create an account based on data provided by FB, also I store user's FB ID so that I could sign in this user later. Now he browses site, enters some info and this info gets posted to his wall. Everything is fine so far because user's browser holds the cookie created by FB. Now user leaves the site and contacts site admin. Admin opens his own browser, goes to admin interface and posts something on behalf of this user. Now, having that user's FB ID and assuming that user hasn't revoked permissions, can I still post this to his wall?

Answer 1

With the Facebook PHP SDK v3 (see on github), it is pretty simple to ask and use a user offline access token. Here is how you do that.

Get the offline access token

First you check if the user is logged in or not :

require "facebook.php";
$facebook = new Facebook(array(
  'appId'  => YOUR_APP_ID,
  'secret' => YOUR_APP_SECRET,
));

$user = $facebook->getUser();

if ($user) {
  try {
    $user_profile = $facebook->api('/me');
  } catch (FacebookApiException $e) {
    $user = null;
  }
}

If he is not, you generate the "Login with Facebook" URL asking for the offline_access permission :

if (!$user) {
    $args['scope'] = 'offline_access';
    $loginUrl = $facebook->getLoginUrl($args);
}

And then display the link in your template :

<?php if (!$user): ?>
    <a href="<?php echo $loginUrl ?>">Login with Facebook</a>
<?php endif ?>

Then, when the user is logged in, you can retrieve the offline access token and store it. To get it, call :

if ($user) {
    $token = $facebook->getAccessToken();
    // store token
}

Use the offline access token

To use the offline access token when the user is not logged in :

require "facebook.php";
$facebook = new Facebook(array(
  'appId'  => YOUR_APP_ID,
  'secret' => YOUR_APP_SECRET,
));

$facebook->setAccessToken("...");

And now you can make API calls for this user :

$user_profile = $facebook->api('/me');

Hope that helps !

Answer 2

UPDATE: This answer is no longer valid as offline_access is deprecated.

You need to request the offline_access permission. Check the permissions doc.

EDIT Per the update and comments - some info on the removal of the offline_access can be found here.