App with iFrame keeps reloading with new auth_token in URL

Dec 13, 2008 at 9:56 PM
Edited Dec 13, 2008 at 9:56 PM

I have a problem which has already discussed here:

I don't know when the problem starts, but sometime i click a link in my application  and get redirected to the callback url with a new auth_token and i can't get out.

I am using iframes, masterpages and the newest facebook . net toolkit.

I start my asp pages with:

        new protected void Page_Load(object sender, EventArgs e)
            base.ApiKey = FACEBOOK_API_KEY;
            base.Secret = FACEBOOK_SECRET;
            base.Page_Load(sender, e);

Any ideas?


Dec 15, 2008 at 12:31 AM
I'm getting the exact same error.

I have found the following. If I restart IIS, load my app through facebook everything works 100%. As soon as I close my browser and re-open it and access the application again the auth_token issue re-appears. I then have to restart IIS te get rid of the error again.

I'm going to try and debug this to see what is happening.

Dec 15, 2008 at 2:34 AM
Edited Dec 15, 2008 at 2:42 AM
I think I have found the source of the problem for IFrame based apps.

Both CanvasIFrameBasePage and CanvasIFrameMasterPage uses BasePageHelper.LoadIFramePage() method to establish the facebook session parameters. It then retrieves the fb_sig_session_key and fb_sig_user values from either the querystring OR from the HttpSessionState depending on which one is available (querystring seems to take preference). It then saves these values in the HttpSessionState for future use. Now according to me the BUG comes in at line 193 in BasePageHelper.cs where TryAddApp() is called. TryAddApp() for some reason clears the Cookie that holds the "ASP.NET_SessionId", in other words we loose the session state and due to that BasePageHelper redirects to the FB login page which in turns creates a new auth_token and redirects to your default page.

So if you have any links or redirects that does not include the fb_sig_session_key and fb_sig_user as part of the querystring you will not be able to use the SessionState to get these values due to the bug described and inevitably end up at your default page.

Two workarounds  that solved the issue for me after initial tests:

1) include the fb_sig_session_key and fb_sig_user query parameters in your links or redirects. i.e.
Response.Redirect("~/YourNewPage.aspx?fb_sig_session_key=" + Master.API.SessionKey + "&fb_sig_user=" + Master.API.uid, false);

2) If you dont want to use the querystring parameters you could comment out line 256 in BasePageHelper.cs where the cookie is reset - //_response.Cookies.Clear();

I'm new to the Facebook Developer Toolkit library, so I'm not sure what side-affects (2) will have, so I'd probably recommend you use (1) until one of the developers can verify and possibly fix the bug.


PS I've opened a new  issue item , so please vote for it if the suggestions above worked for you.
Jan 22, 2009 at 1:51 PM
  I've solved the facebook session expiration issue in IE.
            Nikhil have written code in CanvasIFrameMasterPage class.
if (!_autoAdd) return; //Removed: !api.users.isAppAdded()

if (api.SessionKey != null)
//RedirectTopFrame(_response, FACEBOOK_ADD_URL + api.ApplicationKey);
first line should be written like this if (!_autoAdd) return !api.users.isAppAdded();

Other Solution:
Add this line in master page of home page of your application.
this.AutoAdd = false;

Nov 3, 2009 at 9:04 PM

Ugly bug...Thanks for providing the fix!

Dec 31, 2009 at 8:51 AM


I had same problem, but I simply pass on same query string like below

Response.Redirect("some url?" & Request.QueryString.ToString)

And it works.  When you use IFrame as your solution, FB pass on several querystrings automatically, response.redirect does not do that automatically.