Add facebook login to an existing login system

Question

I want to add facebook login to my existing login system with remember me, I have an idea of how it should work:

Short version

Check if the user is logged in to facebook, it the user is we retrieve the user id and check if it's connected to any account. If it's we get some data and store session vars and the user is logged in.

Long version

How to register

1. The user click on sign up, the user comes to a page with two options sign up and sign up with facebook.

2. If the user choose sign up with facebook, then some info will be autofilled (like email) and then the user needs to fill in password and nick. Then we validate the info, if it's valid we store the user + facebook user id. If the user choose sign up, we don't autofill and of course not store the facebook user id.

How to check if the user is logged in:

1. Check if session vars is set, if it's the user is logged in. If not, then proceed to step 2.

2. Check if a cookie with the remember me code exists. If it exists we check if the code is valid if it's then the user is being logged in. If the cookie doesn't exists, then we proceed to step 3.

3. Check if the user is logged in at facebook if the user is we retrieve the user id and sees if it match to a row in db if it does we store sessions vars and the user is logged in. If not, then we display a login form.

To retrieve the facebook user id, I use this code:

<?php
require_once("facebook.php");

$config = array();
$config['appId'] = 'app id';
$config['secret'] = 'secret app id';
$facebook = new Facebook($config);

$uid = $facebook->getUser();
?>

Questions

1. Is this the right and secure way to do it?
2. If not, can you point me in the right direction?
3. The user needs to allow my app before I can get the user id, right?
4. The code above works on localhost but not on my server, it returns 0 every time. Solution?

Thanks in advance!

Answer 1

Answers: 1. I think you are on the right track. You could also ensure that a [native user] logged in can access the sign up page and push the FB account join to user profile page or something like that.

3. You could easily get the user id since its a public info provided by facebook for all registered accounts. But that user will need to allow your app inorder to be able to get their info from facebook profile. But the good news is that almost all the work is done by facebook for you and you just have to point the user to the right url. There is also the social plugin that you could to register users on your site/app with the Facebook register social plugin

As noted in in the facebook api documentation, $uid will contain the facebook user id of the current user [browsing your site] or null after a call to $uid = $facebook->getUser();

So first of, you could check that the $uid is valid [not null or zero]. Then if is passes that test, you could attempt to retrieve the public profile info by issuing a $user = $facebook->api('/me'). That should provide your with the user profile if the is logged in to facebook already. If not then the user perhaps has a facebook account but not logged in.

Note that the api('/me') could throw an exception if the right token was not passed, so you should wrap it in a try-catch block and handle the exception according to your app.[Perhaps assume that the user is not logged in. If you are sure that your app_id and secret id are valid ]

If $user is null then you can get the url to redirect the user to [for facebook login ] by calling $loginUrl = $facebook->getLoginUrl() and redirect the user or provide a clickable link to URL.

All these are documented in the facebook api documentation

Sample Code:

<?php
require_once("facebook.php");

$config = array();
$config['appId'] = 'app id';
$config['secret'] = 'secret app id';
$facebook = new Facebook($config);

$uid = $facebook->getUser();

if( ! $uid){ // we have an id

    try{
        $user = $facebook->api('/me'); //get the current user's FB public profile
        if($user){ // we have a valid user who is logged in to his facebook account
            $logoutURL = $facebook->getLogoutUrl(); // user 
         }
    }catch(FacebookApiException $e){
        $user = null;
        $loginURL = $facebook->getLoginUrl();
    }
}

Again all these are documented in the facebook PHP client so its your best choice to start. Facebook changes its api without much notification so you should visit their developer page in case your code start to behave strangely.

Hope it helps!

Answer 2

Answer 1: Its the right way to go, Answer 2: Use php sdk , it already has everything to secure your fb login. Answer 3: Yes, user needs to allow your app before you can user id. Answer 4: May be because you haven't created an app on facebook and using code from demo file. Demo file is linked to an app which has site url as localhost. So, to fix this, create an app on facebook, give a site url (the url of your server). Then it should work :)

More questions are welcome :)