Should Drupal and Facebook logouts be decoupled?

Hi

I was thinking the same thing as you when I first started using this module.

I have now been running some large community sites for over 6 month and no one (users) have complained about this. I thought I was going to get complants but nothing.

So even though I still think this needs to be discussed, at this stage I dont think it's a major problem. Wether people dont mind staying logged into the drupal site or they just log back into facebook without a second thought.

But you raise a good point.

My understanding of facebook connect is that a proper implementation will log the user out, when they log out of facebook. I think its a bad idea to leave them logged in.

Imagine a shared computer say in a library. User is logged into your site in one tab, facebook in another. User logs out of facebook in the other tab. Another person shows up at the computer and logs into their facebook account, then that second person visits your site. Surely somewhere during that process you'd want to log out the first user.

You should find with most sites that implement facebook connect, you are logged out when you log out of facebook. I believe that's the correct and expected behavior.

I am struggling with this one right now.

I want to use drupal for facebook to post comments to facebook but i do not want to tie the user login with the facebook login.

I want to be able to log out facebook but still be logged in to the website. Also there is the possibility that somebody dissconnected the app on facebook but i still want him to be logged in to the website. because of that i am looking into separating the two.

i am just about to figure out what i need to delete in the globals in order to do that.

I will keep you posted.

my finding untill now. not sure if it is all.

there are 4 elements to unset:

unset($_SESSION['fb_' . $GLOBALS['_fb_app']->id . '_user_id']);
  unset($GLOBALS['_fb_app']);
  unset($GLOBALS['_fb']);
  unset($GLOBALS['fb_init_no_settings']);

so the logout function is a little different.

function _fb_logout() {
  //session_destroy();
  //$GLOBALS['user'] = drupal_anonymous_user(); 
  
  
   
  // Unsetting the javasript fbu can be helpful when third-party cookies disabled.
  fb_js_settings('fbu', 0);// @TODO still needed?? helpful???
  
  // Clean up facebook cookies.
  // @TODO: Are facebook cookies renamed (fbsr_...)??? Is this even needed anymore???
  if (isset($GLOBALS['_fb_app'])) {
    if (isset($_COOKIE['fbs_' . $GLOBALS['_fb_app']->apikey])) { // still needed?
      setcookie('fbs_' . $GLOBALS['_fb_app']->apikey, '', time() - 42000, '/');
    }
    if (isset($_COOKIE['fbs_' . $GLOBALS['_fb_app']->id])) {
      setcookie('fbs_' . $GLOBALS['_fb_app']->id, '', time() - 42000, '/');
    }
  }
  unset($_SESSION['fb_' . $GLOBALS['_fb_app']->id . '_user_id']);
  unset($GLOBALS['_fb_app']);
  unset($GLOBALS['_fb']);
  unset($GLOBALS['fb_init_no_settings']);
  drupal_session_initialize();
  
  
}

this way you are unsetting all variables and cookies + not creating a logout from the user.

this should be improved.
a checkbox should be added to the settings of the app to decide what if we want to log out the user or not. if not the session destroy should not take action. and the user should stay the same.

You might find that telling javascript not to act on session changes will do what you want. (Of course there might be all sorts of bugs. I don't recommend this code, or what you're trying to do in general.)

Something like:

  // This is in case your javascript initializes after fb.js:
  var events = jQuery(document).data('events');
  if (events) {
    events.fb_session_change = null;
  }
  
  // And this is in case your JS initializes first:
  jQuery(document).bind('fb_session_change', myCustomSessionChangeEventHandler);

Some people may not need such a feature but there are definitely those of us that do want at least 1) ability to logout of site without also logging out of Facebook (users will log themselves out of Facebook if that's what they want) or 2) stay logged into a site to continue commenting, after logging out of Facebook. They are two separate use cases though.

1) ability to logout of site without also logging out of Facebook (users will log themselves out of Facebook if that's what they want)

One of the features is when logged into facebook, you are automatically logged into the site. Most facebook connect site work this way (all should). you want to remove that feature, too?

All the big Facebook Connect sites I see (Digg, Airbnb, etc.) do not automatically log you into the site if you are logged into Facebook.

They all wait until you click the 'login' button. That's the standard way now. They let you log out of the site and log in as another user.

Can anyone name some major sites that work the way this module works, by letting you create an account but not letting you log out without logging out of Facebook and then not letting you login as any account except your Facebook account?

For historical reasons, it used to be a best practice, modules/fb uses the cookies provided by facebook to determine your login status. I believe the sites you're talking about are using their own cookies or storing access tokens some other way. I do believe the next major release of modules/fb should work that way. But I feel it would be a big change for the 3.x branch.

Facebook uses to explicitly say that facebook connect should work in the way this module implements. Their doc has changed, and the best practice may have changed. However I still feel it is reasonable behavior. I think its reasonable to automatically log a user in when they are logged into facebook, and automatically log them out of facebook when they log out. Isn't that preferred?

I guess the preferred version would be to leave site administrators a choice how they want this module to behave.

For example by adding 3 checkboxes somewhere in module configuration:
- automatically log users out of Facebook when they log out of the site
- automatically log users out of site when they log out of Facebook
- automatically log users into the site when they log into Facebook
should do the trick.

Essentially I support this feature request (shouldn't we change the issue category?) as from what I've noticed all sites I tried checking out FB Connect functionality work exactly this way, ie they do not log me out of Facebook when I log out from the site - and that's exactly what I would want myself.

Checkboxes like that would just confuse people. For example, uncheck "automatically log users out of Facebook when they log out of the site" and check "automatically log users into the site when they log into Facebook" and suddenly you'd never be able to log out of the site.

In reality there are only two options. The coupled "single sign-on" approach, or the decoupled approach.

Two options sounds ok to me too, as long as they are there. Or at least the decoupled approach, as it seems to be standard nowadays.

Changing category to "feature request" then.

Btw - could help with developing it if needed?

A quick update on what has worked for me (or at least what seems to have worked).

How I wanted it to work:

• do not automatically log a user into the site even when logged into Facebook, require user to go to login page and click "Connect with Facebook"
• do not automatically log a user out of Facebook when they log out of the site
• do not automatically log a user out of the site when they log out of Facebook

First thing - untick "Get login status when initializing javascript." checkbox on DFF Settings page.

Now, code-wise - this is a combination of deleting all DFF cookies and variables with the remaining part of user_logout() code, which will not be called because we do drupal_goto() here at the end:

/**
 * Implementation of hook_user().
 */
function MYMODULE_user($op, &$edit, &$account, $category = NULL) {

  if ($op == 'logout') {
    if (fb_facebook_user() && fb_api_check_session($GLOBALS['_fb'])) {

      // Exterminate Facebook cookies!

      // I needed to add cookie domain to all setcookie() calls to make them
      // work - this could depend on specific (sub)domain configuration I guess.
      $cookie_domain = '.mydomain.org';
      // When "Use Oauth when initializing javascript" setting is enabled.
      if (variable_get(FB_VAR_JS_OAUTH, TRUE)) {
        if (isset($_COOKIE['fbsr_' . $GLOBALS['_fb_app']->apikey])) {
          setcookie('fbsr_' . $GLOBALS['_fb_app']->apikey, '', time() - 3600, '/', $cookie_domain);
        }
        if (isset($_COOKIE['fbsr_' . $GLOBALS['_fb_app']->id])) {
          setcookie('fbsr_' . $GLOBALS['_fb_app']->id, '', time() - 3600, '/', $cookie_domain);
        }
      }
      // When "Use Oauth when initializing javascript" setting is disabled.
      else {
        if (isset($_COOKIE['fbs_' . $GLOBALS['_fb_app']->apikey])) {
          setcookie('fbs_' . $GLOBALS['_fb_app']->apikey, '', time() - 3600, '/', $cookie_domain);
        }
        if (isset($_COOKIE['fbs_' . $GLOBALS['_fb_app']->id])) {
          setcookie('fbs_' . $GLOBALS['_fb_app']->id, '', time() - 3600, '/', $cookie_domain);
        }
      }

      // Exterminate Facebook variables too!

      unset($_SESSION['fb_' . $GLOBALS['_fb_app']->id . '_user_id']);
      unset($GLOBALS['_fb_app']);
      unset($GLOBALS['_fb']);
      unset($GLOBALS['fb_init_no_settings']);

      // The part below is remaining code from user_logout(), which would
      // normally be executed after calling user_module_invoke('logout'), but
      // because we are doing drupal_goto() here (to avoid call to drupal_goto()
      // in fb_user module, which would log user out of Facebook) we need
      // to execute this code here too.

      // Destroy the current session, and reset $user to the anonymous user.
      session_destroy();

      // Load the anonymous user.
      $user = drupal_anonymous_user();

      drupal_goto();

    }
  }

}

Finally, some modules' weights need to be updated, so that MYMODULE's weight is higher than any other module weights, but lower than fb_user weight - this is to make sure that hook_user() implementation for $op == "logout" from fb_user module will never be called (and thus redirect to Facebook's logout page will not be called).

In my case, the heaviest module before was autologout with weight = 1000, so I have set MYMODULE's weight to 1010 and fb_user's weight to 1011. (Note here that fb_user sets its own weight to -1 during install for form altering purposes (see fb_user.install), but it was not important in my case and I could easily change it without any side effects.)

Dave, any thoughts on this? Everything seems to be working fine for me so far, however if you have any ideas what could possibly go wrong with a setup like this or what to watch out for I would appreciate sharing!

I think the right way to do this is to never use the facebook cookies. Instead store the user's access token in Drupal's session. (And I expect a future version of modules/fb will do exactly this, and no longer rely on facebook's php sdk at all, but that's a ways off).

Under admin >> site building >> facebook app >> settings, there are some options kind of like this. I'd try unchecking "Use FB Cookie", and check "Use tokens in session to initialize javascript".

I'm not saying that will work perfectly, cause I haven't really tested. Some of those options come from my attempts to support third-party cookies being disabled. But if modules/fb is able to learn the token without the cookie (which it can for sure on canvas pages, connect pages I'm not sure), then it will put it in drupal's session. That should work for login. Logout might still log the user out of facebook.

I strongly disagree on the concept of "confuses". Someone might say that the default module behavior is "confusing", as pretty much the whole web behaves differently regarding the fb connect/login issue - what's wrong in letting administrators (not unskilled, untrained users, but people that do this with some actual knowledge) decide their own setting without hacking the module every time?
If your concern is a possible critical condition, state a warning when the two critical options are selected, and let go.

Thank you [maciej zgadzaj] so much, it works good except in one thing:
- After signing in the drupal site, I just try to logout from the drupal site but nothing happen.
Also i got an error message in the console " FB.logout() called without an access token".
Any idea to solve this problem ?

Hey, how does this feature request fit in with Policy #6 - http://developers.facebook.com/policy/#policies

Your website must offer an explicit "Log Out" option that also logs the user out of Facebook.

I think we have to close this issue to stay in line with FB's policies.

Individuals can write custom code to circumvent those at their own risk but I feel this module should strive to do things "by the book" wherever possible. Feel free to re-open if you strongly disagree.