Handling “Session key invalid or no longer valid” errors from Facebook
I’m not sure if it’s supposed to work this way, but Facebook’s PHP client library method get_loggedin_user() doesn’t do the best job of keeping track of valid sessions. I seem to recall that even their demo FB Connect application experienced this error… It’s easy to reproduce on many FB Connect sites; log into a FB Connect site, then go to Facebook, logout of Facebook, and return to your FB Connect site. Reload the page and you’ll likely see a Session key invalid or no longer valid error followed by a trace.
So simple solution would be to catch the error; problem is that I don’t think it’s terribly obvious how to properly release the session if an error is caught… Using CakePHP, I added the following to my beforeFilter method:
if($this->facebook->get_loggedin_user()):
try {
$this->user = $this->facebook->api_client->fql_query('SELECT uid, pic_square, first_name FROM user WHERE uid = ' . $this->facebook->get_loggedin_user());
} catch (Exception $ex) {
$this->facebook->clear_cookie_state();
}
endif;
So the only way to reliably test whether or not you have a valid session (since get_loggedin_user() can’t be trusted) is to run a method that requires one, and see if it throws an error. Sure, it adds overhead which is why I’d recommend a light FQL query which will return data I need anyway, but it’s much better than throwing fatal errors.
If an error is found, clear_cookie_state() seems to effectively destroy the session, and get_loggedin_user() will properly return false in all subsequent code.
Yeap, that did the trick! Tnx for posting
@Nick
Great, glad it helped!
Didn’t seem to work for me. I even tried to print some text in the try part and such to see if it made it. It didn’t. So I did: if(empty($this->facebook->user)) { …. } and that seemed to work… Is it not reliable to use the property user? Do I have to look up? I guess is my first question… I know the lookup does work but when it doesn’t, it didn’t seem to error out for me, so there was nothing to catch.
Second problem is the clear_cookie_state() didn’t work. Also, I tried expire_session() … Neither seemed to do the job. When I clear my cookies in the browser THEN it works. So I know there’s still cookies somewhere. Inspecting those cookies they are from FB. I don’t know what I’m supposed to be looking for in them and I certainly don’t know why FB’s API isn’t doing anything with those two method calls.
Anything obvious that I’m not doing right?
@Tom
because it never logged out of cake… the javascript bit didn’t seem to work…
@Tom
Your exact problem is what I’m experiencing, and have reported, in this Facebook bug ticket:
http://bugs.developers.facebook.com/show_bug.cgi?id=6743
I’m not keen on the original post’s solution of running a FB API call on each request - I’d rather catch exceptions at runtime and redirect/recover, even if it means yielding to a 500 error page. The problem is that neither of the cookie-clearing functions you mentioned, nor set_user() called with null, will do the job.
@Tom
I believe I stumbled upon a bug in Facebook’s PHP API, which explains exactly why expire_session() wasn’t working. Please take a look and see if the patch I included solves your problem.
http://bugs.developers.facebook.com/show_bug.cgi?id=7036
As I mentioned in the report, the alternative method some people use to terminate Facebook app sessions, set_user(null,null), works fine. I made the mistake of thinking expire_session() was the more proper API method
Yay. Thanks for this. I was banging my head on the table with this for a loong time.
Now I can just point people here when this problem comes up again.