--- fb_session.inc.orig	2009-09-24 18:04:48.000000000 +0200
+++ fb_session.inc	2009-10-29 11:08:01.000000000 +0100
@@ -1,4 +1,11 @@
 <?php
+// $Id$
+
+/**
+ * @file
+ * FB session management.
+ *
+ */
 
 /**
  * Here we override Drupal's session management.  Actually, we try not
@@ -44,11 +51,12 @@
  */
 
 $orig_session_name = session_name();
-if (isset($_COOKIE[$orig_session_name]))
+if (isset($_COOKIE[$orig_session_name])) {
   $orig_session_id = $_COOKIE[$orig_session_name];
-else
+}
+else {
   $orig_session_id = '';
-
+}
 $nid = _fb_settings_parse(FB_SETTINGS_APP_NID);
 
 if ($nid && isset($_REQUEST['fb_sig_api_key'])) {
@@ -58,9 +66,10 @@ if ($nid && isset($_REQUEST['fb_sig_api_
   // a session between FBML and iframe, and when forms are submitted
   // from FBML canvas pages.
   $new_session_name = "fb_canvas_{$nid}_" . $orig_session_name;
-  if (isset($_REQUEST['fb_sig_session_key']))
+  if (isset($_REQUEST['fb_sig_session_key'])) {
     $new_session_id = "fb_canvas_{$nid}_" . $_REQUEST['fb_sig_session_key'];
-  else if ($orig_session_id) {
+  }
+  elseif ($orig_session_id) {
     // When user is logged into facebook, but not authorized app, cookies are honored.  (confirm this???)
     $new_session_id = "fb_canvas_{$nid}_" . $orig_session_id;
   }
@@ -75,47 +84,58 @@ if ($nid && isset($_REQUEST['fb_sig_api_
       $_REQUEST['fb_sig_in_iframe']) {
     fb_settings(FB_SETTINGS_SESSION_KEY, $_REQUEST['fb_sig_session_key']);
   }
- }
- else if ($nid && variable_get('fb_session_cookieless_iframe', FALSE) && 
+}
+elseif ($nid && variable_get('fb_session_cookieless_iframe', FALSE) && 
           ($sess_key = _fb_settings_parse(FB_SETTINGS_SESSION_KEY))) {
-   // using sessionless iframes
-   // similar logic to clause above, using session key in url path
-   $new_session_id = "fb_canvas_{$nid}_" . $sess_key;
-   $new_session_name = "fb_canvas_{$nid}_" . $orig_session_name;   
- }
- else {
-   // Try to learn session key from cookies (Facebook Connect)
-   
-   $apikey = NULL;
-   // Discover APIKEY by inspecting cookies.
-   // This could be made more efficient by looking only for the primary apikey.  I hesitate because some sites may need to support multiple connect apps. (I.e. one for the website and other for resizeable iframes in canvas pages)
-   foreach ($_COOKIE as $key => $value) {
-     if ($pos = strpos($key, '_session_key')) {
-       $apikey = substr($key, 0, $pos);
-     }
-   }
-   
-   if ($apikey && isset($_COOKIE[$apikey . '_ss'])) {
-     // We're logged into Facebook Connect.
-     // If fbConnect, we want to use another session id, so that if the
-     // user logs out of facebook, they are also logged out of drupal.
-     
-     // Use globals to remember some values, for fb_connect.module to use.
-     $GLOBALS['fb_connect_apikey'] = $apikey;
-     
-     // Rename the session id, so the Facebook Connect session is distinct from the original drupal session.
-     $new_session_id = 'fb_connect_' . $_COOKIE[$apikey . '_session_key'];
-     
-   }
- }
+  // using sessionless iframes
+  // similar logic to clause above, using session key in url path
+  $new_session_id = "fb_canvas_{$nid}_" . $sess_key;
+  $new_session_name = "fb_canvas_{$nid}_" . $orig_session_name;   
+}
+elseif ($nid && isset($_REQUEST['fb_forms_iframe_session_id'])) {
+  // For iframe canvas when we send AHAH content, the JS open session uses a different id.
+  // In the case of an existing fb connect in the same browser, the js session use the same session id,
+  //  and we could take that session id from $_COOKIE but in the other case the session used is new and
+  //  we need to read the session id from the $_REQUEST['fb_forms_iframe_session_id'] that was added by
+  //  FB Forms module
+  $new_session_name = "fb_canvas_{$nid}_" . $orig_session_name;
+  $new_session_id = $_REQUEST['fb_forms_iframe_session_id'];
+}
+else {
+  // Try to learn session key from cookies (Facebook Connect)
+
+  $apikey = NULL;
+  // Discover APIKEY by inspecting cookies.
+  // This could be made more efficient by looking only for the primary apikey.  
+  // I hesitate because some sites may need to support multiple connect apps. 
+  // (I.e. one for the website and other for resizeable iframes in canvas pages)
+  foreach ($_COOKIE as $key => $value) {
+    if ($pos = strpos($key, '_session_key')) {
+      $apikey = substr($key, 0, $pos);
+    }
+  }
+ 
+  if ($apikey && isset($_COOKIE[$apikey . '_ss'])) {
+    // We're logged into Facebook Connect.
+    // If fbConnect, we want to use another session id, so that if the
+    // user logs out of facebook, they are also logged out of drupal.
+
+    // Use globals to remember some values, for fb_connect.module to use.
+    $GLOBALS['fb_connect_apikey'] = $apikey;
+
+    // Rename the session id, so the Facebook Connect session is distinct from the original drupal session.
+    $new_session_id = 'fb_connect_' . $_COOKIE[$apikey . '_session_key'];
+  }
+}
 
 if (isset($new_session_name)) {
   session_name($new_session_name);
- }
+}
 
 if (isset($new_session_id)) {
   if (!variable_get('fb_session_long_keys', TRUE)) {
-    // Facebook appends user id, time and expiry info which is not necessary for uniqueness.  Here we truncate that information to ensure the sid fits in sessions table.
+    // Facebook appends user id, time and expiry info which is not necessary for uniqueness.
+    // Here we truncate that information to ensure the sid fits in sessions table.
     $new_session_id = substr($new_session_id, 0, 64);
   }
   if ($new_session_id != $orig_session_id) {
@@ -129,34 +149,32 @@ if (isset($new_session_id)) {
     // If we've changed the session id, disable drupal's caching
     $GLOBALS['conf']['cache'] = 0;
   }
- }
- else {
-   // No session from facebook, so make sure we're not using an out of date one.
-   if (strpos($orig_session_id, 'fb_connect') === 0) {
-     // Old fbconnect session can be deleted
-     db_query("DELETE FROM {sessions} WHERE sid='%s'", $orig_session_id);
-     session_id(md5(uniqid(microtime()) . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']));
-   }
-   else if (strpos($orig_session_id, 'fb_connect') === 0) {
-     // Canvas session should not be deleted as it could be a user visiting both the website and an iframe app
-     if (!$nid)
-       session_id(md5(uniqid(microtime()) . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']));     
-   }
- }
-
+}
+else {
+  // No session from facebook, so make sure we're not using an out of date one.
+  if (strpos($orig_session_id, 'fb_connect') === 0) {
+    // Old fbconnect session can be deleted
+    db_query("DELETE FROM {sessions} WHERE sid='%s'", $orig_session_id);
+    session_id(md5(uniqid(microtime()) . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']));
+  }
+  elseif (strpos($orig_session_id, 'fb_connect') === 0) {
+    // Canvas session should not be deleted as it could be a user visiting both the website and an iframe app
+    if (!$nid) {
+      session_id(md5(uniqid(microtime()) . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']));
+    }
+  }
+}
 
 if ($nid && !isset($_COOKIE[session_name()])) {
   // requests from facebook (FBML canvas pages) will not have cookies.
   // We want Drupal's session.inc to work properly, as if the session
   // came via cookie.
-  if (!$_COOKIE || !count($_COOKIE))
+  if (!$_COOKIE || !count($_COOKIE)) {
     // Remember that cookies are actually disabled, some apps will want to display a message and/or redirect in this case.
     $_COOKIE['_fb_cookie_fake'] = TRUE;
+  }
   $_COOKIE[session_name()] = session_id();
- }
-
+}
 
 // Finally, include the logic of Drupal's session.inc
 include('includes/session.inc');
-
-?>
\ No newline at end of file
