FB.logout: what should it do in term of later calls to FB.getLoginStatus?

Question

According to https://developers.facebook.com/docs/reference/javascript/FB.logout/

The method FB.logout() logs the user out of your site

what does this mean in terms of later calls to FB.* functions?

Specifically, I'm observing that even though the response to FB.logout has a status of "unknown", after the logout has completed, calling FB.getLoginStatus returns a status of "connected", when passing true as a second parameter or after a page refresh.

This is unexpected to me... perhaps I'm misunderstanding what "logs the user out of your site" means: what does it mean in terms of the FB.* functions? I'm looking to, as best as possible, reverse the process of FB.login. How can this be done?

---

Update: I was testing at http://localhost:8080. When on http://fbtest.charemza.name/ I realise logout works as I expect, but logout on localhost:8080 logout does not seem to work, i.e. exhibits the problem above. To be clear, no errors appear in the console at any point. The code of the page is below.

To change the question slightly, why does it do this on localhost:8080, and is there a way to develop logout locally where the behaviour is the same as on the public web?

<!doctype html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>Facebook Test</title>
</head>

<body>
  <script>
    window.fbAsyncInit = function() {
      FB.init({
        appId      : '1524395480985654',
        cookie     : true,
        xfbml      : false,
        status     : false,
        version    : 'v2.10'
      });

      FB.AppEvents.logPageView();   
    };

    (function(d, s, id){
       var js, fjs = d.getElementsByTagName(s)[0];
       if (d.getElementById(id)) {return;}
       js = d.createElement(s); js.id = id;
       js.src = "https://connect.facebook.net/en_US/sdk.js";
       fjs.parentNode.insertBefore(js, fjs);
     }(document, 'script', 'facebook-jssdk'));

    document.addEventListener("DOMContentLoaded", function(event) {
      document.getElementById("loginButton").addEventListener("click", function() {
        FB.login(function(response) {
          console.log('FB.login', response);
        });

      });

      document.getElementById("logoutButton").addEventListener("click", function() {
        FB.logout(function(response) {
          console.log('FB.logout', response);
        });
      });

      document.getElementById("getLoginStatusButton").addEventListener("click", function() {
        FB.getLoginStatus(function(response) {
          console.log('FB.getLoginStatus', response);
        }, true);
      });
    });
  </script>


  <button id="loginButton">FB.login()</button>
  <button id="logoutButton">FB.logout()</button>
  <button id="getLoginStatusButton">FB.checkLoginStatus()</button>
</body>
</html>

Answer 1

The reason this doesn't work for you on localhost is that you have set the App domains to localhost, app domains should only be set when you are using a actual domain.

So I went through a debugging session on the Javascript loaded by FB JSSDK and found below line

document.cookie = n + "=" + o + (o && p === 0 ? "" : "; expires=" + r) + "; path=/" + (q ? "; domain=" + j : "")

When you have no App domains set then q=null and j=.localhost. So no domain is set on the cookie and hence it all works great.

When you have a App domains set as localhost, q=true and j=.localhost. So when the code tries to set domain it uses something like below

"fbsr_370363483399260=q8i_dn0F22UweXRMNff0tf5WpfYOelZ0vsjtIKrDhzw.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI....A4NTgwNzg1MzEwOTk5In0; expires=Fri, 13 Oct 2017 14:00:01 GMT; path=/; domain=.localhost"

This doesn't work on localhost and doesn't allow setting the cookie at all. document.cookie will not set any cookie not related to current page. But if I override j=localhost in console the cookies work. That is the reason you shouldn't set App domain to localhost when testing locally