user is logged out from facebook, but website still gets his data

Question

I've got following code:

$fb = new Facebook(array('appid'=>APPID, 'appsecret'=>APPSECRET));
$user = $fb->getUser();

if($user)
{
try {
$me = $fb->api('/me');
}
catch(FacebookApiException $e) {
error_log($e);
enter code here
$user = null;
}

if($user) { blah blah blah

And it works properly if user is not logged in and if the user logs in, it works. But only if he click link from $fb->getLogoutUrl() and successfully logs out from facebook, my app still holds his data. I read that trying $fb->api('/me') should throw an exception if user is logged out but it isn't. Clearing the $_SESSION table helps but I don't think that is properly solution.

Any idea's?

Answer 1

I think this might be caused by facebook's extended access token (I am not sure) which basically gives the same as offline access (in fact replaces it: https://developers.facebook.com/roadmap/offline-access-removal/ ) but for 60 days.

So I think it is nothing to really worry about. I am unsure what you mean by:

Clearing the $_SESSION table helps but i don't think that is properly solution.

Since I am unsure exactly what you are "clearing", you might be clearing the accessToken in which case, yes that will stop you from accessing the users info, although be aware it DOES not deauth your app. Logging in and out are two completely different things to auth and deauth. The /me url will normally only throw an exception if your n ot allowed to access, i.e. user has deauthed your app.

I think using destroySession after logout ($fb->destroySession()) will solve most of your problems by destroying the cookies on your side and resetting the user access.