This patch adds a setting to logout from Facebook where logout from site.

Comments

toxiclung’s picture

this is a really important feature for me
please commit this to your dev or stable release

thank you very much for a very useful module

cheers

MarcElbichon’s picture

function fboauth_user_logout() {
    global $base_url;
    if (variable_get("fboauth_fb_logout",0)) {
      $url = "https://www.facebook.com/logout.php?next=$base_url&access_token=" . $_SESSION['fboauth_access_token'];
      session_destroy();
      drupal_goto($url);
    }
}

should be replaced by

function fboauth_user_logout() {
    global $base_url;
    // Be sure user is logged with facebook
    if (variable_get("fboauth_fb_logout",0) && array_key_exists('fboauth_access_token', $SESSION)) {
      $url = "https://www.facebook.com/logout.php?next=$base_url&access_token=" . $_SESSION['fboauth_access_token'];
      session_destroy();
      drupal_goto($url);
    }
}
quicksketch’s picture

It is very unusual for any app or website to log a user out of Facebook. I'd prefer to keep this functionality separate, as I don't want to encourage this unusual behavior.

MarcElbichon’s picture

I'm not totally agree with you. Many sites logout from Facebook when using Facebook Connect.
The patch adds a settings to activate or not this feature. So users can choose the way they want to disconnect.
I think this could be a good feature for your module.

quicksketch’s picture

Doing some research on this, it seems you may be correct. The most definitive thing I found was Facebook's policy on app/sdk development:

6. Your website must offer an explicit "Log Out" option that also logs the user out of Facebook.

You can't get much more explicit than that. So even if I don't agree with the approach from a UX perspective, if it's the rule then we should do what we can to enforce that.

I'm a little nervous with the approach described, because we don't have any guarantee that the access token we have will still be valid by the time the user logs out. We'll need to perform some kind of check to confirm that the token is still valid before sending the user to facebook.com/logout.php, otherwise they could just end up at an error page.