I dont know if this is a bug, probably is hard that happen on a production site.

Anyway, step to reproduce the issues:

1. Install fb module;
2. Create a new facebook application (or use an existing one);
3. Set the "Create Local Account: *" to "If user has authorized the app" in the drupal fb application page;
4. Logout;
5. Use the Facebook connect to connect; The user will be created on the drupal database;
6. Logout again, clear the browser cache, sessions and cookies;
7. Login with drupal root user (id 1);
8. Nothing strange here;
9. Open another tab in the browser, goto facebook.com and login with the account used in step 5;
10. Refresh your drupal website page;
11. Now you'll see that you seem logged in with the facebook-to-drupal user (the one created in step 5)!
12. Logout;
13. Now you are logged in with the drupal root user!

Seem like when drupal get the facebook session, it create another one for the drupal site but doesnt remove the existing sessions.

Comments

Dave Cohen’s picture

Dave Cohen commented
Category: support » bug

Hmmm.... yeah there's a bug there.

The step #11 is as expected. When you enable facebook connect, you let facebook control the session. I think of that as the expected behavior.

Step 13 is the problem. Ideally, at step 11 the previous session would have been destroyed. I think the fix will be in fb.module, fb_ajax_event() when event type is 'session_change'. Destroying the session there, during what I call the "session hand-off" should do the trick. But I'm not sure it can safely be called every time the event is session_change. Maybe only when fb_is_canvas() and fb_is_tab() both return false.

BTW, modules/fb plays session tricks by changing the $cookie_domain during fb_settings.inc. It is as if you are visiting drupal on another domain when the app is authorized. That's why when you logged out, your next visit used the old cookie_domain, and your root session was still intact. Possibly the logic of this approach is wrong. This issue makes me wonder if the whole cookie_domain thing is necessary on canvas pages but not connect pages.

I'm not sure right now, but I'll think about this and welcome any comments.

Dave Cohen’s picture

Dave Cohen commented
Status: Active » Fixed

I've made a change which I think solves this and eliminates the complicated session handoff.

fb_settings.inc no longer changes the cookie domain for facebook connect. And recent changes to fb_user.module combine to solve this.

Please update and let me know if you see this again or any strange behavior.

strae’s picture

strae commented

Thanks, i'll try it as soon as i can and tell how it works!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

mariusilie’s picture

mariusilie commented

Is there a way to disable step #11 behaviour? This is realy annoying because my drupal admin user uses a different email address than my facebook account so I have to use two browsers to be logged in to my drupal website as admin and to my facebook account.

Also, when I logout from the drupal website, I will be logged out also from facebook, wich is another annoying thing.

strae’s picture

strae commented

I have to apologizes about this issue, got a lot of work and i didnt find the time to look deeper.

@mariusillie i think you are confusing this issue: the admin (user 1) cant have a facebook login for security issue, and moreover you should use the superuser admin to log into drupal just for maintenance; for everyday stuff, i raccomand you to create (and use) another user with proper permissions.

mariusilie’s picture

mariusilie commented

yeah, but I have another facebook account registered with the same email address as the user #1 and when I connect with facebook, I automatically get logged in with user #1.

strae’s picture

strae commented

oh sorry i misunderstood your problem!

Yes i understand how this can is problematic, but is strange that the fb account is been mapped with the user #1.

Dave Cohen’s picture

Dave Cohen commented

When working with facebook apps, I recommend drupal administration in one browser, while logging into facebook in another browser. Don't use the same browser for both.