Storing Facebook Info in ASP.NET: Session, Cookies or Identity?

Question

So, simple question:

After the user authorizes my app (OAuth 2.0), i do a call to the Facebook Graph API to fetch their details.

So at this point in time, i have their Facebook ID, an access token for API calls, their email, and some other basic info.

I'm working on an ASP.NET MVC 3 web application, that uses Forms Authentication and a custom ticket to store extra data.

A lot of examples i've seen has shown storing the info in Session.

Is this wise? Because i'm working on a single-sign-on (e.g users can "sign in" to my website with Facebook Connect), i only really "care" about their Facebook info if they are already logged-in to my website.

With that in mind - i'm wondering if it's worthwhile segreating the info across different persistence mechanisms.

For instance, since the Facebook ID doesn't change, i could store that in the Forms Authentication ticket, and perhaps store the access token in a cookie, with the expiry set to the expiry received in the HTTP response.

How do people go about storing Facebook information in an ASP.NET (MVC - but not specifically limited to) application?

Answer 1

Don't store facebook info in a session. javascript SDK saves for you a special cookie called fbsr_APP_ID with a signed_request, so you can verify all requests to your server and obtain neccessary info. Most of the API calls you can do from javascript API to facebook.

You can always check on any page of your app if the user is logged in with FB.getLoginStatus
https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/

If user is not logged in you can use FB.login to login: https://developers.facebook.com/docs/reference/javascript/FB.login/

Storing info in sessions is not scalability-wise. It takes memory on your server, etc.

hope this helps

EDIT: Just to add to the above: don't store any info beyond uid and access token in any persistent storage, basic info from graph API "me" for example might be stored in a database. For the needs of UI basic things like name and picture might be constructed within UI with the help of XFBML tags and urls, etc. Javascript API is also responsible to save a cookie with signed_request which might be verified on the server.