Facebook access tokens expiring for unknown reason

Question

EDIT from @avs099: I'm starting the bounty on this post as I have exactly the same issue. I summarize the problem here, and leave the post itself without any changes at the bottom for the reference.

---

What we have: Facebook page access token, obtained as described here: Authenticating as a Page and which live was extended to 60 days with new fb_exchange_token request.

What is the problem: this token works for some time - sometimes I can post hundreds of photos to my fan page in the period of several days; sometimes it's literally few photos - and then I start getting either

(OAuthException) Error invalidating access token: The session has been invalidated because the user has changed the password.

or

(OAuthException) Error invalidating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.

exceptions from the Facebook - but of course I did not do change password or deauthorized the app.

Additional information: Not sure if that matters but:

1. Sometimes I start using token few days after I request it from the Facebook
2. Token is requested (by the C# backend) from the server which is located in a different geographical region from the desktop app which posts photos to the fan page.
3. It happens sometime that several different desktop apps post photos from different PCs (i.e. different IPs I guess)

Anybody has a clue what's going on and how to resolve this?

Thank you.

---

I have a facebook app that serves two purposes:

1) Allows users to facebook connect with my site 2) Allows my site to post to my sites facebook fan page wall

What I'm concerned about is the 2nd usage. I used to be able to set the permissions for an app on a fan page to just allow posting (via the php sdk) without any concern about an access token. Now I've created some new fan pages and that functionality seems to have been removed. Alright, so I go through the whole process of getting an access token (successfully) for the user (always me or another admin of my facebook fan pages) and use that token to get the access tokens for the fan pages I manage (I have the manage_pages permission and so do the other admins for the pages I want to post to). However by the engine gets around to posting content to my fan pages the tokens have expired with one of two error messages:

Error invalidating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.

or

OAuthException: Error invalidating access token: The session has been invalidated because the user has changed the password.

But this isn't an access token dependent on outside users, only internal people (me and one other guy right now). We aren't changing our passwords or doing anything. I've even tested it by logging out of facebook after acquiring tokens and it works fine. It's just after a little while they expire for no reason that I can determine. When I get the tokens I can check them on the debugging tool and they are supposed to last 60 days (according to the doc) although the tool says they never expire.

I've set up the system so when it fails to post to the page I get an email with the link to my site to update the tokens.

Anyone have a clue what's going on?

Answer 1

As Mikhail pointed out, if you get an error reporting that the token is invalid cause user has changed the password. Odds are you are requesting a new token somewhere hidden in the code, when you already have a valid one.