Friday, June 10, 2011

Facebook Session Syncing

As of recently I've been working on a project that involves working with the Facebook Javascript SDK. Other than some hiccups here and there it has been a fun little project working with combining a ColdFusion application using jQuery and the Facebook Javascript SDK.

One of the first things anyone has to get working is the Facebook Authentication which involves finding out:
  1. Is the person logged into Facebook.
  2. Has the person granted Facebook access to your application.
This is actually done fairly simply:

FB.getLoginStatus(function(response) {
  if (response.session) {
    // logged in and connected user, someone you know
  } else {
    // no user session available, someone you dont know

This is a fairly straightforward process, you can see how you could easily build a structure around this logic.

But I've ran into a bit of a snag. This authentication is ran every time the page loads, as it should. It needs to check if the user is still logged in and get the users information again for javascript to access.
But the javascript runs when the DOM loads (or when the page loads depending on what you're doing) while the server side ColdFusion code runs before this.

So if I wanted ColdFusion to query up specific local user information I couldn't do this ahead of time because I don't know the validated user's id until AFTER the javascript runs.

This leaves us with a few options.

We could keep a local ColdFusion session along with a Javascript Facebook Session. This would have to rely on the Javascript making an AJAX call to ColdFusion after the user is validated and ColdFusion then storing the needed javascript information in a session variable. This creates a bit of an issue though because this means the security is relying entirely on the javascript and there is also a timing issue.

Page 1 loads: Facebook Authentication runs > validated > fires a call to ColdFusion > ColdFusion sets a session variable.

> Now the user clicks a link for Page 2 >

Page 2 loads (and wants to get user specific info from the local database): ColdFusion checks the session > see's the stored user information > queries up the user local information and builds the cfm pages > Facebook Authetication runs > fails >

Now what?
We already got and returned the local user specific information to the browser before the facebook authentication ran and failed.  Sure we could put some javascript in there to do a redirect or reset the page but that's hardly secure. What would be even worse is if the page was doing updates to the local data. We would have just updated the data before the authentication failed and would now have to trigger some kind of roll back that depends entirely on the javascript to run properly.

My only solution thus far is that when using the Facebook Authentication all local authentication required content has to be called via javascript/ajax calls AFTER the authentication goes through. This isn't always a bad thing but it does create much more work for the user's browser to process vs the server side simply loading up the pre-processed page.


Brian Barker said...

Just found your blog post while searching for info on Facebook session syncing. I know it's been almost half a year, but I wanted to point out Facebook has a "server flow" for their auth that let's you log the user in server side and not do crazy ajax hacking.

Juli GS said...

buycheapfacebooklikesReally you have done great job,There are may person searching about that now they will find enough resources by your post.I like this blog..