如何从Facebook注销或使用php破坏活动会话? [英] How to logout from facebook or destroy an active session using php?

问题描述

我有一个通过Facebook进行注册的应用程序，但是在用户可以进行注册之前，系统应首先确定是否存在活动会话.如果用户登录到 facebook ，则该用户应自动注销以重新开始.

但是这里就是我被困住的地方.如果用户连接到您的应用程序，则SDK仅允许用户从facebook注销.它使用应用程序的访问令牌.但是，如果他仍未注册到您的应用程序该怎么办?他们的登出意味着从您的应用登出，而不是从Facebook登出.

我的要求:

1..如何从Facebook中注销.

2..如何清除浏览器cookie?

不是在特定应用上，而是在整个Facebook会话中.

解决方案

[来自注释]但是要使用getLogoutUrl()函数，用户必须连接到您的应用程序.我需要从整个Facebook中注销，而不仅仅是从应用程序中注销

如果用户已连接到您的应用程序，则getLogoutUrl方法提供的URL会执行此操作–将用户从您的应用程序(网络应用程序)和中注销，从facebook.com中注销

但是，如果用户未连接到您的应用，则您没有活动的用户访问令牌-然后就无法注销Facebook.显而易见的原因是，如果是的话，我访问的每个网站都可能以偷渡式"方式将我从Facebook中注销-无需我积极地希望这样做，因此人们会很快感到恼火.

如果用户登录到Facebook，则应该自动注销以重新开始.

如果出于安全考虑，那么您实际上正在寻找 https://developers.facebook.com/bugs/248632218597467 (已被分配为优先级:高，但只收到了我们将继续跟踪" 答复.)

I have an application which asks for a registration through facebook but before a user can proceed to the registration, the system should first determine if there is an active session. If a user is logged in to facebook, it should then automatically logout for a fresh start.

But here is where I'm stuck. The SDKs only let the user log out from facebook if he is connected to your app. It uses the app's access token. But what if he is still not registered to your app? Their log out means to log out from your app, and not really from facebook.

My requirement :

1. How can i log out from facebook.

2. How can i clear the browser cookies?

Not on a specific app but the whole facebook session.

解决方案

[from comments] But to use the getLogoutUrl() function, the user has to be connected to your app. What I need is to logout from the whole facebook and not just from the app

If the user is connected to your app, then the URL provided by the getLogoutUrl method does that – log the user out of your app (web-app) and out of facebook.com.

If the user is not connected to your app however, you don’t have an active user access token – and then logging out of Facebook is not possible. The obvious reason being that if it was, every website that I visit could log me out of Facebook in a "drive-by" manner – without me actively wanting that, so people would get annoyed quite quickly.

If a user is logged in to facebook, it should then automatically logout for a fresh start.

If this is a security consideration, then you are in fact looking for re-authentication, which can be done using the auth_type parameter, quote from docs:

In apps where security is very important, you may want to double-check someone's identity - perhaps before they make a purchase within the app, or use it to access some sensitive personal data.

To prevent situations where a user could leave a device logged in or man-in-the-middle hijacking of the user session, re-authentication forces a person to re-enter their Facebook password before they can continue to use your app.

Be aware to use the server-side Auth flow though – because in the client-side flow, using the JS SDK, there is a bug that allows the user to bypass re-entering his password by simply closing the popup, which is still open: https://developers.facebook.com/bugs/248632218597467 (Has been assigned Priority: High, but received still nothing more than a "we will follow up" response yet.)

这篇关于如何从Facebook注销或使用php破坏活动会话?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！