Facebook Login holding username after logout

Question

Just trying to understand the philosophy behind facebook login.

1. If I am logged into Facebook my website picks up on this and automatically logs me in.
2. If I am logged out of facebook then I am not authenticated in Facebook, website still works
3. If I login via either my website or facebook I am authenticated and I can use Facebook or my website as an authenticated user
4. If I then logout of Facebook my app is still authenticated but not Facebook.
5. If I log out of my app and kill all the sessions and manually remove cookies I can successfully log out.

The problem I have after logging out on both is that $facebook->getUser(); and getAccessToken(); still maintain my used id and a token. Where are these coming from?

I am using the PHP SDK

Answer 1

When you login to your application using Facebook, your application requests Facebook to authenticate you. When the authentication is successful, Facebook tells your application that you are authenticated. Your application then maintains its own sessions.

What you do in your Facebook account or your application may not mirror the changes to one another. For instance, when you logout of your Facebook account, your application wouldn't know because as far as your application is concerned, you have been authenticated. At the same time, when you logged out of Facebook, Facebook did not tell your application that you are already logged out.

Applications and Facebook (or other OAuth providers) maintain their own separate sessions.

For your questions:

1. Yes, your website redirects the visitor to a link in Facebook that automatically tells your client that you are logged in. You no longer see the prompts because you have already granted your application permissions during your first attempt to access the application using your Facebook account.

2. This would work because of the separate sessions. When you logged out of Facebook, you're still logged on the application. Not unless the application tries to verify your identity again through Facebook - in that case, authentication will fail.

3. This is right BUT you cannot login to your application without logging in to Facebook, unless you have another way of authenticating to your application without Facebook (like alternative logins with linked accounts). However, in that case, you still need to be logged on to Facebook using their login form to be logged in. You cannot be logged in to Facebook through your application.

4. That is correct. If you logout of Facebook, you are logged out of Facebook. Due to the separate sessions, you need to logout of your application too.

5. Also correct.

What is probably happening in your case is:

1. You logged out of your application
2. You get redirected to your home page
3. Your home page tries to authenticate you because you aren't logged in
4. You get redirected to Facebook
5. Facebook confirms your identity and redirects to the application
6. Application authenticates you again

In order to solve this, your home page should not auto-authenticate. There should be a button that users must click - something like 'Login with Facebook' before you initiate the authentication with Facebook.

You cannot also 'force logout' a user out of Facebook. So after using your application, your user must logout of your application and Facebook. If your application uses session cookies, the user will be logged out if the browser is closed.