Facebook fbsr and session wont delete

Question

I have a logout.php page. This gets called by clicking logout that has this javascript attached to it:

 FB.getLoginStatus(function(response) {
    if (response.status === 'connected') {
      button.onclick = function() {
        FB.logout(function(response) {
          window.location = 'logout.php';
        });
      }
   }
 });

On the logout page i have this php code running:

if (isset($_COOKIE['fbsr_' . $app_id])) {
    setcookie('fbsr_' . $app_id, $_COOKIE['fbsr_' . $app_id], time() - 3600, "/");
    setcookie('PHPSESSID', $_COOKIE['PHPSESSID'], time() - 3600, "/");

    unset($_COOKIE['fbsr_' . $app_id]);  
    unset($_COOKIE['PHPSESSID']);
}

The problem is that the javascript does log someone out. The php script will not remove the fbsr and the phpsessid cookies. How can I get around this issue?

Answer 1

I had the same problem, even though all cookie pars were right (doublechecked) What seems to work for me, is setcookie($cookie_name, '', null, '/', '.'.$base_domain); note the null value instead of: time()-3600

I honestly dont know why that works and the time()-3600 does not, but I cross checked and it works... HTH

Answer 2

For some of the applications, FB sets the fbsr cookie under ".your-domain.tld" domain (notice the preceding point). The cookie won't be deleted unless you specify the correct domain. Try this and you'll have logout working:

setcookie('fbsr_' . $appID, '', time()-3600, '/', '.'.$_SERVER['SERVER_NAME']);

It's a FB bug that makes the cookie not be deleted at logout, so your $fb->getUser() API call returns the former user ID instead of NULL or 0. This is FB world ;) Greetings!