Follow this steps to reproduce, everything with the same browser to share the session:
- Create and configure a Facebook App
- Enable fb_user and enable the automatic creation of an account
- Login with a facebook use
- Access your Canvas app (it will create a user account) and a session.
- Logout from facebook
- Login to Facebook with another user
- Access to your Canvas app again
As long as a session is created for the first user, it is not destroyed before the second user access and it will finish with the new user using the same uid and session than the first one.
The reason is because _fb_user_check_session is never called, so I've appended a patch to fix this.
Comment | File | Size | Author |
---|---|---|---|
0001-fb_user-bug-_fb_user_check_session-is-never-called-w.patch | 1017 bytes | jherencia |
Comments
Comment #1
Dave Cohen CreditAttribution: Dave Cohen commentedThe change you've made isn't right. That basically makes the FB_USER_VAR_CHECK_SESSION variable serve no purpose. You could instead check the "validate session" option on admin >> site building >> facebook apps >> user settings. That should do the same thing your code has done.
However it shouldn't be needed. The code should automatically start a new session. Have you modified your settings.php to include fb_settings/php? Does your app have the signed request migration enabled.
Comment #2
jherencia CreditAttribution: jherencia commentedOk, you are right, I miss understood what that part of the code does.
I have modified settings.php but don't know where to enable the signed request migration option in my app.
Comment #3
Dave Cohen CreditAttribution: Dave Cohen commentedOn facebook. Start at admin/build/fb, click the number under "remote settings". Then click "advanced". Signed request is still one of the ever-changing list of "migrations".
Comment #4
james.williams CreditAttribution: james.williams commentedSince this is a security issue (being able to take control of others' accounts), should the 'validate session' option not default to being on rather than off?
I'm not seeing the signed request migration option in my app, was this one of the ones that FB is now enforcing?
Comment #5
jherencia CreditAttribution: jherencia commentedI don't see that option either.