Promoting a stored Offline access session to the client

Mar 7, 2010 at 8:42 AM

The scenario is this;

  1. User registers and allows offline_access permission
  2. I save the session in the database
  3. User logs in later through application authentication (not facebook)
  4. I retrieve the stored infinite session key and apply it to the active session like so;
    facebookAPI.Session.SessionKey = offlineAccesSessionKey;
.Session.UserId = (long)fuid;

Now I want to use FBML / FBJS on the client. 

So I try this:

    facebookAPI.Auth.Session.UserId = (long)fuid;
.Auth.Session.SessionKey = offlineAccesSessionKey;
.Auth.Session.SessionSecret = _facebookAPI.Session.SessionSecret;

But on the client side it's like I have no session at all.

How do I use my offline_access permission to allow client side access?

Am I wrong in thinking the code above should do the trick?

Is there a way to store the necessary cookies?


Mar 7, 2010 at 4:09 PM

From the Facebook DevWiki:

This seems to be pretty clearly describe what needs to get done. Now the question is why I can't make this work with Toolkit V3.

Transferring Sessions From the Server to JavaScript

A session secret-based session is required for the Facebook JavaScript Client Library. By default, sessions generated on the server-side (for example, by calling require_login) are not session secret-based. In order to get a session secret-based session, you have two options:

  1. Explicitly ask for a session secret-based session in auth.getSession – when first requesting a session, you can ask for a session secret-based session via this API. If you’re using our PHP 5 client library, you can also indicate this in the Facebook object constructor.
  2. Promote a non-session-secret-based session – the auth.promoteSession API call can be used to promote an already existing session to a session secret-based session.

The PHP 5 client automatically saves the session in a set of cookies local to your site, which the Facebook JavaScript library will parse, so a valid session secret-based session should be available immediately after either of these methods succeeds. If you’re not using the Facebook PHP library, please see the article Verifying The Signature for details on the cookie format and how to ensure that the cookies you’re transferring are secure.

The Facebook Connect login flow is JavaScript-based, so almost all interoperability scenarios will involve moving sessions from JavaScript to the server. If your site is using the traditional redirect/popup experience or the user has previously granted your site offline access, it may be necessary to promote a session from the server to JavaScript.