GetLoggedInUser or CheckForLoggedInAgainstServer

Jun 11, 2007 at 11:02 PM
Jun 12, 2007 at 2:37 AM
Sure. Can you explain what you need? I am implementing a few things right now. I don't follow the issue that you are describing.

Can you give me some more details?

Jun 12, 2007 at 3:43 PM
I am need a GetLoggedInUser because there is a situation where the internal UserId field might be incorrect.

There is a facebook api call called users.getLoggedInUser with the response:

<?xml version="1.0" encoding="UTF-8"?>

<usersgetLoggedInUserresponse xmlns="" xmlns:xsi="" xsi:schemaLocation="">17005258</usersgetLoggedInUserresponse>

I need to use this method to do a last minute security check from a webservice to make sure the guy i'm giving data to is the guy that made the session. Anyone can tell me their userId and they can make it up, i need to distrust api arguments
Jun 12, 2007 at 4:31 PM
Got it. We can definitely do this.
Jun 13, 2007 at 3:01 PM
I added GetLoggedInUser this morning.
Jun 19, 2007 at 3:25 PM
This might be a related question. When facebook displays my canvas page, the URL query string contains user id and a session key. Can I use GetLoggedInUser() to verify the user id, so that I can authenticate user without redirecting to facebook login page?
Jun 21, 2007 at 3:37 PM

If it is an internal app, inside a canvas page the current logged in user id will always be returned from Request("fbsiguser").
Jun 21, 2007 at 4:16 PM
GetLoggedInUser should work as well.
Jul 6, 2007 at 4:29 PM
I tried GetLoggedInUser and it does not give me a new userid when i log out and come back as someone else.

login as person A. use the app.
logout out, come back as person B.
the call to getLoggedin user shows person A's id not person B's.

am i calling it wrong?
I just call :

currentuser = _fbService.GetLoggedInUser()

at the begging of my main page

Jul 6, 2007 at 6:37 PM
I guess it is dependent on the session. If your _fbService still has the session that was tied to the last. GetLoggedInUser will return that user. Since the api calls are dependent on the user.

So, if you still have the session key associated with the previous user, getLoggedInUser won't be correct. You need to get a fresh session id.

Good catch. I'll look into it and see what other options you have.
Jul 12, 2007 at 1:45 PM
I'm having a similar issue...if someone who logs into Facebook on a computer, and then logs out, and then someone else logs into Facebook with a different Facebook account, this is where the trouble this point, our application still has an active .NET session and the Facebook session is still fine because it doesn't expire. So...the new entrant into Facebook will then see the previous person's data in our application because the .NET application has no way of knowing that the previous user logged out of Facebook. The Facebook session details we get back from "CreateSession" are still valid since this session doesn't when the second person accesses the app in Facebook, they see the previous person's details because the .NET session is still active and has apparently no way of knowing it is now returning data on user #1 to user #2.

I'm using what I believe to be the same code many others are employing using the .NET Facebook API so I have to assume others are experiencing the same thing, or perhaps aren't aware of it...

I'm not sure how to deal with it though...since the app runs in an IFRAME, there really isn't any way that I can think of on how to determine that a different person is logged in, when the app has what it believes to be a perfectly valid session key.
Jul 12, 2007 at 3:06 PM
I have an idea. Let me try it out.

Will post back here shortly.
Jul 12, 2007 at 3:21 PM
Are you using the Canvas IFRame Base page?

I just tried this using the base page and it handles it correctly (already implements what I was thinking you need to do).

The issue is that you should get the facebook session and userid out of the request first before going back to the session. Its possible you are doing a slightly different scenario.

But here is my scenario

1) Open Browser
2) Type url
3) Login as as User A
4) Look at userID and Session established. Session is associated with User A's id.
5) Click logout button
6) Same browser type same url again:
7) Login as User B
8) Canvas base page pulls userid and session out of request (not session)
9) Session is associated with User B's Id
10) Session is updated with this new information (from the request)

Jul 12, 2007 at 8:37 PM
OK...I was able to figure this out from your posting above...checking the "Request" before going to the session was the key...that allowed me to compare the IDs of the logged in user and the one calling for the page.

Thanks alot for your help.