Facebook Login for Websites: Best practice to handle user Facebook logout?

Question

I'm writing a webapp where users will need to login with Facebook (a Facebookless login does not make sense in the context of the app). Ideally, after their initial visit, when a user visits /index, my webapp sees a cookie it deposited earlier, and seamlessly logs the user in automatically and goes to the application (/app).

My problem arises when the user logs out of Facebook, and returns to my app. Since their cookie on my domain will still be present, and their oauth_token will still be valid (they are for 60 days now), I can still log the user in automatically, and the app will work as expected.

To me, it doesn't seem right that the app remains signed in with their Facebook account even when they are not signed in to Facebook. I played around on Stackoverflow itself; it allows this behaviour as well. Are my worries misplaced, or is there a recommended way to see if a user is signed into Facebook when they first request /index from my server.

Answer 1

In my opinion, I don't think your app should remain signed in while the user has already signed out of Facebook.

One scenario where this may not be desirable is: what if I am using your app from a public computer. After I logged out of Facebook, your app still "remembers" me. And now anyone who uses this computer will assume my Facebook identity inside your app.

I think the problem here is that you set your own cookie to remember the user's Facebook login status. Obviously, when user signes out of Facebook itself, your cookie is not cleared. So at this point your cookie is out of sync with Facebook status.

I recommend that you don't use your own cookie for the purpose of remembering user's Facebook login status. Always rely on Facebook itself for this purpose.

The general strategy is, whenever user comes to your app, you should check the Facebook login status by using the mechanism provided by Facebook. This way, your app will be in syn with Facebook in terms of user's login status.

I personally use this piece of code to call Facebook Javascript API for the purpose of user login:

/* 
 * Init code for Facebook connect
 */
window.fbAsyncInit = function() {
        FB.init({
                appId      : FACEBOOK_APP_ID, // App ID
                channelUrl : CHANNEL_URL, // Channel File
                status     : true, // check login status
                cookie     : true, // enable cookies to allow the server to access the session
                xfbml      : true,  // parse XFBML
                oauth      : true
        });

        // check facebook login status
        FB.getLoginStatus(function(response) {
                console.log("FB login status: " + response.status);
                if (response.status === 'connected') {
                        showWelcome();  //display welcome message
                } else if (response.status === 'not_authorized') {
                        // the user is logged in to Facebook, but not connected to the app
                        showFbLogin();  //display Facebook Login button
                } else {
                        // the user isn't even logged in to Facebook.
                        showFbLogin();  //display Facebook Login button
                }
        });

        // subscribe to facebook events
        FB.Event.subscribe('auth.authResponseChange', function(response) {
                fbAuthResponseChanged(response);
        });
};