Facebook canvas app doesn't save sessions

Question

Facebook canvas app doesn't save sessions

I made a test application for facebook to play, and I use sessions to store authentication. I am using omniauth. When I go to http://fbbtest.heroku.com/ and then refresh the page, the session is still saved and it says that I'm logged in. When I try from the canvas http://apps.facebook.com/herokutestapp/ it logs me in, redirects me back and says that I am logged in, but then when I manually update it, that I am not logged in. Is there anything special I have to do with sessions in rails 3 so that it also works in facebook canvas?

This is what I now have in my controllers and views.

def index end def create session['fb_auth'] = request.env['omniauth.auth'] session['fb_token'] = session['fb_auth']['credentials']['token'] session['fb_error'] = nil redirect_to root_path end def destroy clear_session redirect_to root_path end def failure clear_session session['fb_error'] = 'In order to use this site you must allow us access to your Facebook data<br />' redirect_to root_path end def clear_session session['fb_auth'] = nil session['fb_token'] = nil session['fb_error'] = nil end

Index view

 <div class="container"> <h1>Heroku FB Test application</h1><br /> <div class="center"><br /> <%=session[:fb_error]%> <% if session[:fb_token] %> <p> Successfully logged in. </p> <a href='logout'>Logout</a> <% else %> <%= session[:fb_error] %><br /> <%= link_to "Log in with Facebook", "/auth/facebook",:class => "popup", :"data-width" => 600, :"data-height" => 400 %> <br /> <p> please log in </p> <% end %> </div> </div>

+6

ruby ruby-on-rails facebook omniauth

Kevin Apr 21 '11 at 4:23

source share

4 answers

corprew · Answer 1 · 2011-10-02T14:02:58+0000

The problem that you might be facing is that detecting Rails CSRF fakes helps create some of your authentication, as the requests come in as an HTTP POST method.

The first line in your ApplicationController is probably something like this:

 class ApplicationController < ActionController::Base protect_from_forgery [...]

Delete this line 'protect_from_forgery' and see if it helps your problem. If this turns out to be the case, go back and install it on a more limited basis (only relevant controllers see here: http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html )

There is a great example for getting Omniauth to work at http://www.communityguides.eu/articles/16 , and the full example code is https://github.com/markusproske/omniauth_pure . However, they have the following:

 class ServicesController < ApplicationController before_filter :authenticate_user!, :except => [:create, :signin, :signup, :newaccount, :failure] protect_from_forgery :except => :create

You need some variation of both of these lines so that omniauth, facebook, and rails sessions work well together. If this does not work, post information about OmniAuth :: Builder from the /production.rb environment (with XXXed out details) and any other related code in the controller that you use for authentication, which will be useful for debugging it.

This might be easier when developing rails applications using facebook for debugging using http://tunnlr.com or another service (or just ssh tunnel http://blog.kenweiner.com/2007/09/reverse-ssh-tunnel- for-facebook.html ), which allows you to run the debugger on your local computer, is very useful for solving these problems.

Carson · Answer 2 · 2011-09-27T13:37:08+0000

Facebook iframe sessions and cookies are very difficult to use, but not impossible. I came across this several times, trying to develop contests once a day.

The solution is to use P3P headers. Honestly, I'm not too sure how they work, but it reduces cross-browser issues in iframes - especially IE and Safari.

Add the following page at the top of each page:

 header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');

This may not solve your problem exactly, but hopefully it helps you on the right track.

Kevin · Answer 3 · 2011-04-22T06:01:53+0000

If I cookies.permanent.signed[:fb_auth] , it allows me to return to the application on facebook without overwriting it. Is this the best way to get around sessions that do not work through iFrames?

Floyd wilburn · Answer 4 · 2011-09-27T20:27:08+0000

This sounds like a third-party cookie problem. Are you sure that using cookie.permanent.signed works correctly if you only accessed the site through Facebook? Try to clear the cookies, restart the browser, and then go to the Facebook canvas page and check again.

In Firefox, try going to Tools-> Options-> Privacy and see if the "Accept third-party cookies" checkbox is cleared. If so, try checking it and checking again.

Not surprisingly, third-party cookies can cause problems, the confusing part is why using a persistent cookie matters.

If you make sure that third-party cookies are a problem, I am afraid that there is no easy solution if you want the application to be accessible to everyone. You must completely stop using cookies and maintain session state using only the values passed to GET / POST.

Facebook canvas app doesn't save sessions

More articles: