Hi All- I am still trying to figure out the best way to handle facebook session
for my users. Here is my current flow:
in my "external accounts controller"
1) before_filter :ensure_authenticated_to_facebook, :only =>
[:authenticate_facebook, :edit_facebook]
2) when the user links into facebook, facebooker authenticates and redirects
back to my application
3) i detect the "auth_token" param in my method and store the
session_key
4) now the session[:facebook_session] is good to go
....
when a user logs in i detect if they have ever authorized facebook, if they have
a reconstitute a facebooker session :
session[:facebook_session] ||=
returning
Facebooker::Session.create do |session|
session.secure_with!(facebook.sessions_key, facebook.fb_user_id,
1.day.from_now)
end
So... this all looks great. The problem is that when I add
before_filter :ensure_has_status_update , :only =>
[:authenticate_facebook, :edit_facebook]
it always asks permission to do this - even when I confirm on facebook , this
before_filter thinks I don''t have permission...
thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20080612/d38a26e3/attachment.html>
You should use ensure_authenticated_to_facebook for all controllers that require status update. Also, reconstituting your sessions like that will stop working shortly. Sessions will expire in one hour. Mike On Jun 12, 2008, at 3:39 PM, William Thomas wrote:> Hi All- I am still trying to figure out the best way to handle > facebook session for my users. Here is my current flow: > > in my "external accounts controller" > > 1) before_filter :ensure_authenticated_to_facebook, :only => > [:authenticate_facebook, :edit_facebook] > > 2) when the user links into facebook, facebooker authenticates and > redirects back to my application > > 3) i detect the "auth_token" param in my method and store the > session_key > > 4) now the session[:facebook_session] is good to go > > .... > > when a user logs in i detect if they have ever authorized facebook, > if they have a reconstitute a facebooker session : > session[:facebook_session] ||> returning Facebooker::Session.create do |session| > session.secure_with!(facebook.sessions_key, > facebook.fb_user_id, 1.day.from_now) > end > > So... this all looks great. The problem is that when I add > > before_filter :ensure_has_status_update , :only => > [:authenticate_facebook, :edit_facebook] > it always asks permission to do this - even when I confirm on > facebook , this before_filter thinks I don''t have permission... > > thoughts? > > > _______________________________________________ > Facebooker-talk mailing list > Facebooker-talk at rubyforge.org > http://rubyforge.org/mailman/listinfo/facebooker-talk-- Mike Mangino http://www.elevatedrails.com
Wow fast responses, awesome!
The session reconstitution won''t work for much longer is because of the
change in the Facebook API policy, correct? What will be the new way to store
this, if any ? I have heard that you can still get the user to voluntarily allow
the session key to never expire.
I still have the issue with "update status" - facebooker
doesn''t think it is enabled when it really is.
As for the ensure_authenticated_to_facebook being controller wide - is that a
good practice or will it cause me problems later on?
--- On Thu, 6/12/08, Mike Mangino <mmangino at elevatedrails.com>
wrote:
From: Mike Mangino <mmangino at elevatedrails.com>
Subject: Re: [Facebooker-talk] Session Best Practices
To: wthomas989 at yahoo.com
Cc: facebooker-talk at rubyforge.org
Date: Thursday, June 12, 2008, 4:02 PM
You should use ensure_authenticated_to_facebook for all controllers
that require status update. Also, reconstituting your sessions like
that will stop working shortly. Sessions will expire in one hour.
Mike
On Jun 12, 2008, at 3:39 PM, William Thomas wrote:
> Hi All- I am still trying to figure out the best way to handle
> facebook session for my users. Here is my current flow:
>
> in my "external accounts controller"
>
> 1) before_filter :ensure_authenticated_to_facebook, :only =>
> [:authenticate_facebook, :edit_facebook]
>
> 2) when the user links into facebook, facebooker authenticates and
> redirects back to my application
>
> 3) i detect the "auth_token" param in my method and store the
> session_key
>
> 4) now the session[:facebook_session] is good to go
>
> ....
>
> when a user logs in i detect if they have ever authorized facebook,
> if they have a reconstitute a facebooker session :
> session[:facebook_session] ||> returning
Facebooker::Session.create do |session|
> session.secure_with!(facebook.sessions_key,
> facebook.fb_user_id, 1.day.from_now)
> end
>
> So... this all looks great. The problem is that when I add
>
> before_filter :ensure_has_status_update , :only =>
> [:authenticate_facebook, :edit_facebook]
> it always asks permission to do this - even when I confirm on
> facebook , this before_filter thinks I don''t have
permission...
>
> thoughts?
>
>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
--
Mike Mangino
http://www.elevatedrails.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20080612/d4d5b805/attachment-0001.html>
I''m not sure exactly how this will work, but will affect the app I''m working on as well. The official post about this change is located here: http://developers.facebook.com/news.php?blog=1&story=118 It appears as though you''ll be able to get a new user session without already having an infinite session key via the Auth.getSession method. It also appears as though you''ll be able to do Profile.setFBML without an existing session key as well. As I said though, I''m not 100% sure how this will work. If anyone out there has a better idea, please chime in! I''ll probably be playing around with this some time in the next week or two in any case. -Joel On Jun 12, 2008, at 3:32 PM, William Thomas wrote:> Wow fast responses, awesome! > > The session reconstitution won''t work for much longer is because of > the change in the Facebook API policy, correct? What will be the new > way to store this, if any ? I have heard that you can still get the > user to voluntarily allow the session key to never expire. > > I still have the issue with "update status" - facebooker doesn''t > think it is enabled when it really is. > > As for the ensure_authenticated_to_facebook being controller wide - > is that a good practice or will it cause me problems later on? > > --- On Thu, 6/12/08, Mike Mangino <mmangino at elevatedrails.com> wrote: > From: Mike Mangino <mmangino at elevatedrails.com> > Subject: Re: [Facebooker-talk] Session Best Practices > To: wthomas989 at yahoo.com > Cc: facebooker-talk at rubyforge.org > Date: Thursday, June 12, 2008, 4:02 PM > > You should use ensure_authenticated_to_facebook for all controllers > that require status update. Also, reconstituting your sessions like > that will stop working shortly. Sessions will expire in one hour. > > Mike > > On Jun 12, 2008, at 3:39 PM, William Thomas wrote: > > > Hi All- I am still trying to figure out the best way to handle > > facebook session for my users. Here is my current flow: > > > > in my "external accounts controller" > > > > 1) before_filter :ensure_authenticated_to_facebook, :only => > > [:authenticate_facebook, :edit_facebook] > > > > 2) when the user links into facebook, facebooker authenticates and > > redirects back to my > application > > > > 3) i detect the "auth_token" param in my method and store the > > session_key > > > > 4) now the session[:facebook_session] is good to go > > > > .... > > > > when a user logs in i detect if they have ever authorized facebook, > > if they have a reconstitute a facebooker session : > > session[:facebook_session] ||> > returning Facebooker::Session.create do |session| > > session.secure_with!(facebook.sessions_key, > > facebook.fb_user_id, 1.day.from_now) > > end > > > > So... this all looks great. The problem is that when I add > > > > before_filter :ensure_has_status_update , :only => > > [:authenticate_facebook, :edit_facebook] > > it always asks permission to do this - even when I confirm on > > facebook , this before_filter thinks I don''t have permission... > > > > > thoughts? > > > > > > _______________________________________________ > > Facebooker-talk mailing list > > Facebooker-talk at rubyforge.org > > http://rubyforge.org/mailman/listinfo/facebooker-talk > > -- > Mike Mangino > http://www.elevatedrails.com > > _______________________________________________ > Facebooker-talk mailing list > Facebooker-talk at rubyforge.org > http://rubyforge.org/mailman/listinfo/facebooker-talk-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20080612/9c553006/attachment.html>
Can every chime in and say what you use a stored session for? Right now, we use them for messaging, profile updates and feeds. Messaging and feeds no longer need the session key, but feeds do. I''ll probably change my code to store the session key and its expiration date. How would everybody feel about a facebook_authentication plugin? It would be similar to restful_authentication, but for Facebook applications. I can do an extraction of our code that is in use for millions of users. Would that be helpful? Mike On Jun 12, 2008, at 6:27 PM, Joel Watson wrote:> I''m not sure exactly how this will work, but will affect the app I''m > working on as well. The official post about this change is located > here: > > http://developers.facebook.com/news.php?blog=1&story=118 > > It appears as though you''ll be able to get a new user session > without already having an infinite session key via the > Auth.getSession method. It also appears as though you''ll be able to > do Profile.setFBML without an existing session key as well. As I > said though, I''m not 100% sure how this will work. If anyone out > there has a better idea, please chime in! I''ll probably be playing > around with this some time in the next week or two in any case. > > -Joel-- Mike Mangino http://www.elevatedrails.com
In general I am using Facebooker to access the list of friends a user has. I am
using the Facebook session store so I can update a Facebook user''s
status from my server. Eventually I would like to be able to access a Facebook
user''s groups and events.
Reading more - it looks like facebooker may want to support the
facebook.users.hasAppPermission call to determine the application''s
permission.
Second- it looks like my session concerns will become moot after July 15th, as
user.setStaus will not require a session key either.
The facebook_authentication plugin sounds interesting. I think it may match the
new FB api coming out - since they are not requiring sessions for a good amount
of calls.
--- On Fri, 6/13/08, Mike Mangino <mmangino at elevatedrails.com>
wrote:
From: Mike Mangino <mmangino at elevatedrails.com>
Subject: Re: [Facebooker-talk] Session Best Practices
To: "Joel Watson" <joel at i5labs.com>
Cc: facebooker-talk at rubyforge.org
Date: Friday, June 13, 2008, 8:41 AM
Can every chime in and say what you use a stored session
for?
Right now, we use them for messaging, profile updates and feeds.
Messaging and feeds no longer need the session key, but feeds do. I''ll
probably change my code to store the session key and its expiration
date.
How would everybody feel about a facebook_authentication plugin? It
would be similar to restful_authentication, but for Facebook
applications. I can do an extraction of our code that is in use for
millions of users. Would that be helpful?
Mike
On Jun 12, 2008, at 6:27 PM, Joel Watson wrote:
> I''m not sure exactly how this will work, but will affect the
app
I''m
> working on as well. The official post about this change is located
> here:
>
> http://developers.facebook.com/news.php?blog=1&story=118
>
> It appears as though you''ll be able to get a new user session
> without already having an infinite session key via
the
> Auth.getSession method. It also appears as though you''ll be
able to
> do Profile.setFBML without an existing session key as well. As I
> said though, I''m not 100% sure how this will work. If anyone
out
> there has a better idea, please chime in! I''ll probably be
playing
> around with this some time in the next week or two in any case.
>
> -Joel
--
Mike Mangino
http://www.elevatedrails.com
_______________________________________________
Facebooker-talk mailing list
Facebooker-talk at rubyforge.org
http://rubyforge.org/mailman/listinfo/facebooker-talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20080613/00114e9f/attachment.html>
Our application is a MeetingWave.... People create open invitations to meet around a topic of their choice. It is an extension of a Web App... I use stored session ids for 1) Updating profiles once a day ---- I only need one key for this but I use individual ones. 2) Sending notifications to users when they have a activity on one of their Invites --- This activity could come from a non-facebook user. 3) If a user is integrated with Facebook and they post an invite on the web site then we push a News Feed item into Facebook ---- I think this will break when they cut us off from the infinite key , right? I think that number 3 is the only thing that is going to break right? And perhaps this is the real intention of Facebook is to limit the News and Mini feeds to activity that happens within facebook. Dave On Fri, Jun 13, 2008 at 7:41 AM, Mike Mangino <mmangino at elevatedrails.com> wrote:> Can every chime in and say what you use a stored session for? > > Right now, we use them for messaging, profile updates and feeds. Messaging > and feeds no longer need the session key, but feeds do. I''ll probably change > my code to store the session key and its expiration date. > > How would everybody feel about a facebook_authentication plugin? It would > be similar to restful_authentication, but for Facebook applications. I can > do an extraction of our code that is in use for millions of users. Would > that be helpful? > > Mike > > > > On Jun 12, 2008, at 6:27 PM, Joel Watson wrote: > > I''m not sure exactly how this will work, but will affect the app I''m >> working on as well. The official post about this change is located here: >> >> http://developers.facebook.com/news.php?blog=1&story=118 >> >> It appears as though you''ll be able to get a new user session without >> already having an infinite session key via the Auth.getSession method. It >> also appears as though you''ll be able to do Profile.setFBML without an >> existing session key as well. As I said though, I''m not 100% sure how this >> will work. If anyone out there has a better idea, please chime in! I''ll >> probably be playing around with this some time in the next week or two in >> any case. >> >> -Joel >> > > -- > Mike Mangino > http://www.elevatedrails.com > > > > _______________________________________________ > Facebooker-talk mailing list > Facebooker-talk at rubyforge.org > http://rubyforge.org/mailman/listinfo/facebooker-talk >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20080616/97dd36db/attachment.html>