Session key invalid or no longer valid - Returning user

Sep 2, 2009 at 1:58 PM

Just thought I would share this in case anyone else is anal enough to worry about this scenario.

While developing my facebook app (IFrameCanvisPage), I have been adding and removing the app from my facebook profile to test the funtionalities. Everytime I would remove the app permissions and then try to go back to the app, I would get "Session key invalid or no longer valid" and I could not re-approve the app. If made me wonder what would happen if a user removed my app (boooo), but then had a change of heart and went back to reinstall then got an error page. Small thing to worry about in the grand scheme of things but it tripped me up for a couple days because I couldn't figure it out... the dumb little things that get under your skin sometimes.

Anyway, the only way I could get around this was to wait for the session to expire or to recompile my app. I searched all over for a solution, but since not very many people are as anal about little things like this as me, I couldn't find anything.

This morning, I think I have stumbled across an answer.

Any pages that reference the fdt api will need the following added to the page_onload... excuse my use of vb instead of C# folks.

       If Request("fb_sig_session_key") = "" Then
            Master.Session.Abandon()
            Response.Redirect("default.aspx") <---- or whatever your canvis default page is
        End If

What this does is checks the session_key sent by facebook to see if it's empty which after the unistall, it is.
Clears out the Old Session in .Net
Then reloads the Canvis page, which now that the session is clear will redirect the user to the install page again.

I tried to do it without the response.redirect but it didn't hook into the fdt.

I suppose there are better ways to do this but this seems quick and easy.

Hope this helps someone else out there!

Nov 7, 2009 at 7:43 PM
Edited Nov 7, 2009 at 7:47 PM

Hi, thanks for the research into this one.  It's one of 2 recurring errors I get and your solution looks very promising.  I'll give it a whirl today to see if those darned errors stop coming through.

My previous solution was to have the user change their Facebook password :)

Here's your code placed into my MasterPage's PageLoad method...

        if (Request["fb_sig_session_key"] == string.Empty)
        {
            this.Session.Abandon();
            Response.Redirect("default.aspx");
        }
Let's see how this goes. *fingers crossed*

Nov 8, 2009 at 5:44 AM

I got another one of these today (3 times from the same user) so I've modified my code slightly. Instead of just checking for string.Empty I've now changed it to check for null also...

if (string.IsNullOrEmpty(Request["fb_sig_session_key"]))
Let's see how THIS goes.

 

Nov 18, 2009 at 2:43 PM

This looks promising.  I used mrated's code

if (string.IsNullOrEmpty(Request["fb_sig_session_key"]))
        {
            this.Session.Abandon();
            Response.Redirect("default.aspx");
        }

in my masterpage, but it didn't work.  Then I placed it in pageload of the landing page, and it seems to have worked.  I noticed that this error occured if the user removed the app, then went back to the app and tried to use it again.  Instead of being prompted to allow, they got the session error.  Now that does not happen.

Nov 20, 2009 at 6:26 PM

thank you :)

Nov 20, 2009 at 8:55 PM

I think I have a similar problem, but if I insert this code, I get an infinite loop because Request["fb_sig_session_key"] is always null even after the Redirect.

What should be in Request["fb_sig_session_key"] ?

Nov 20, 2009 at 9:04 PM

Hi guys,

Ultimately I ended up doing the same as dfoerra by putting the code into the individual pages.  I put it in Page_PreRender() just to be extra sure that there'd be the session info from the toolkit.  I also appended my querystring etc. as I need it on that page... final code (in "mypage.aspx")

schinkowski, there should be a string if your user has authenticated with Facebook... the actual content is irrelevant to you (it's Facebook's session key) but if there isn't one then they aren't authenticated, hence the redirect after killing the session to force the toolkit to try again.

if (string.IsNullOrEmpty(Request["fb_sig_session_key"]))
{
this.Session.Abandon();
Response.Redirect("MyPage.aspx?" + Request.QueryString);
}

Nov 20, 2009 at 9:19 PM

Thanks for your reply.

Is that not stored in Session.SessionId ?

Session.SessionId has a value, so I think the session is authenticated.

Nov 20, 2009 at 9:27 PM

Session.SessionId is YOUR session ID (i.e. the user's session id associated with your web server). The other one is a Facebook toolkit (Facebook in general actually) key which is unrelated to your web server.

Nov 23, 2009 at 11:05 AM
mrated wrote:

Ultimately I ended up doing the same as dfoerra by putting the code into the individual pages.  I put it in Page_PreRender() just to be extra sure that there'd be the session info from the toolkit.  I also appended my querystring etc. as I need it on that page... final code (in "mypage.aspx")

schinkowski, there should be a string if your user has authenticated with Facebook... the actual content is irrelevant to you (it's Facebook's session key) but if there isn't one then they aren't authenticated, hence the redirect after killing the session to force the toolkit to try again.

if (string.IsNullOrEmpty(Request["fb_sig_session_key"]))
{
this.Session.Abandon();
Response.Redirect("MyPage.aspx?" + Request.QueryString);
}
What version of the toolkit are you guys using? I am using V3.0 Canvas I frame app and if I put that code in the Page_PreRender it just seems to lose the session and return to the callback URL (my default page).

 

Nov 23, 2009 at 11:41 AM

Version 2.something... I don't fancy upgrading to v3.0 just yet as the namespace has changed a lot (i.e. to what it should have been in the first place!) which means a lot of breaking changes.