Facebook Authentication / Login
I have facebook authentication set up using php and it looks something like this, first getting authorized here:
https://graph.facebook.com/oauth/authorize?client_id=<?= $facebook_app_id ?>&redirect_uri=http://www.example.com/facebook/oauth/&scope=user_about_me,publish_stream
then we get the access token:
$url = "https://graph.facebook.com/oauth/access_token?client_id=".$facebook_app_id."&redirect_uri=http://www.example.com/facebook/oauth/&client_secret=".$facebook_secret."&code=".$code;"
function get_string_between($string, $start, $end){
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}
$access_token = get_string_between(file_get_contents($url), "access_token=", "&expires=");
then get user info:
$facebook_user = file_get_contents('https://graph.facebook.com/me?access_token='.$access_token);
$facebook_id = json_decode($facebook_user)->id;
$first_name = json_decode($facebook_user)->first_name;
$last_name = json_decode($facebook_user)->last_name;
This is pretty ugly (in my opinion), but it works .... as if ... the user is not logged in yet ... because I did not create or retrieve any session variables to confirm that the user is logged in on facebook ...
which means that after receiving authentication, the use still has to log in.
firstly: is there a better way to use php to accomplish what i did above? second: how to set / get session variable / cookies that ensure the user doesn't have to hit login
thanks for the help
a source to share
It's good to answer that you first question: "Is there a better way to use php to accomplish what I did above?"
Basically, I fell that comes to mind as there are many options. This is what you are comfortable with and what your goal is for your application.
Personally (I'm not saying this is to pressure you, but to suggest an option). I am using javascript login, this is from facebook, this is a nicely crafter script that's clean, fast, etc. etc. which can be found here (at this point I apologize if my information is out of date as I just noted this second that facebook has refreshed this lol page!) the good part is that it stores the authentication token as a variable (which you can change to session if you like) and it is essentially done as you just apply this to the end of most urls as you showed.
(although looking at the new updated site the code looks a little more "complicated" in it, so feel free to ask for help and I'll give you the original code)
Question 2: how do you get / set varibles sessions ... well there are many things and ways, etc. Etc ... however I'll keep the basic / simple version and add notes that you should put aside in your mind for the more complex options. First, at the beginning of any page with its session validation, you should start with
session_start();
and then when you want to add a session variable just a question
$_SESSION['session_variable_name'] = $variable;
(yes, I know you probably do the whole few and bar, but it annoys me: D). And this! If you want to "log out", you can
session_destroy();
and it will stop transmitting session information. Now the session notes:
-
Unless otherwise noted, sessions are usually stored on your server as files! This could violate any privacy statements you have made!
-
Sessions often do not survive across subdomains (www.website.com → website.com) and this is not recommended for $ _POST data. Also, some people have problems with http: // to https: // with session data.
-
Sessions don't last forever, they essentially leave the session ID in a cookie in the client's browser for later reference.
-
When you have multiple servers to distribute the traffic weight, you can lose the session again as it is not being passed through the servers. You can store them in a location that all servers can access, or have a server that serves sessions like memcache.
And I think what you will most need to know about sessions: P
I hope this helped!
John
a source to share