Issues with logging out from Facebook

StackOverflow https://stackoverflow.com/questions/23405093

  •  13-07-2023
  •  | 
  •  

質問

I am developing a web app which lets user log in with Facebook.
The flow is:
1. Click on login with FB
2. Login to FB
3. Redirect back to the web app

For security reasons (the app is going to run on iPads in customers stores) I need to logout the user from Facebook immediately after I receive response from FB - the app no longer interact with FB API).

After user logs into FB, an approval dialog appears which lets user
1. grant access to the app
2. deny access to the app

Then, user is redirected to the app where response is processed.

public function facebook()
{
    try {
        $fbUser = Faceoff::me();
        $user = UserCreator::withProfile( $fbUser );
        Auth::login($user);

        $url = Faceoff::getLogoutUrl(['next' => 'url to protected area']);
    } catch (\Exception $e) {
        $url = Faceoff::getLogoutUrl(['next' => 'url to login page']);
    }

    Faceoff::destroySession();
    return Redirect::to($url);
}

If user grants access try block is executed, if user denies access catch block is executed instead and logout URL with appropriate next parameter is generated.
User is redirected to that logout URL right back. So far so good.

The problem is: I cannot logout user from FB if user does not grant access to the app.
But I can, if access is granted.

Is there a solution for this, or this is intended behaviour?

PS-1: Faceoff is just a wrapper for Laravel.
PS-2: Sorry for such a story, I just need you to know what I try to achieve and where the problem starts.

Thank you for any direction which could lead to the solution!

役に立ちましたか?

解決

The problem is: I cannot logout user from FB if user does not grant access to the app. But I can, if access is granted.

Is there a solution for this, or this is intended behaviour?

Of course this is intended behavior, otherwise every website I visit could log me out of FB, whether I want that to happen or not – and therefor it needs an active user access token.

And btw., it is not wise to have a large number of users log in on a very limited set of devices in a frequent fashion – that is very likely to trigger Facebook’s security algorithms, that will think something shady is going on … and can lead to your users having to answer additional security questions, get in other trouble concerning their own accounts, up to your app getting blocked.

ライセンス: CC-BY-SA帰属
所属していません StackOverflow
scroll top