This is a short article on how to best implement the Facebook PHP SDK for two integration methods: Canvas applications and external websites offering Facebook Login to their visitors. The difference is not very well documented in the example provided with the SDK.
Facebook Login (previously Connect)
This method is used by external websites, offering their visitors an easy method of registration and login, using their Facebook account. As shown in the example code provided with the SDK, we first create an instance of the facebook class, which we use to retreive a session.
We will not find a session in two cases:
- The visitor has not authorised the website in the past
- The method
getSession()cannot find the
sessionvariable in the $_COOKIE or $_REQUEST variables
To be sure that the visitor has not authorised your application in the past, we transfer the visitor to Facebook using the method
getLoginStatusUrl(). This will header the visitor to Facebook, which in turn headers the visitor back to the referring URL including a $_REQUEST['session'] variable, if the visitor has indeed authorised in the past. Be sure to build in a check to only check this once a session, otherwise this will result in a loop if the user is unknown.
When using Facebook Canvas (a website iframed within Facebook), the requested page within the iframe is always provided a
signed_request which the SDK uses to build a “session”. This means that we always know whether the visitor is an authorised user or not, making the
getLoginStatusUrl() superfluous. If we can’t find a session (
getSession()), or we can’t find “
/me“, the user has not authorised and we need to present the authorisation button.
The following graphic depicts the flow for both cases: