Facebook Cookbook - Jay Goldman [136]
Auth.createToken()
Auth.getSession()
Fbml.refreshImgSrc()
Fbml.refreshRefUrl()
Fbml.setRefHandle()
Marketplace.createListing()
Marketplace.getCategories()
Marketplace.getSubCategories()
Marketplace.removeListing()
Notifications.send()
Notifications.sendEmail()
Pages.getInfo()
Pages.isAppAdded()
Photos.addTag()
Photos.createAlbum()
Photos.upload()
Profile.getFBML()
Profile.setFBML()
Users.hasAppPermission()
Users.isAppUser()
Users.setStatus()
Since this new policy was evolving as this book was going to press, check the Wiki for more information about which methods do or don’t require a key (specifically http://wiki.developers.facebook.com/index.php/New_Design_Platform_Changes#Changes_to_Session_Keys or http://tinyurl.com/5czxej).
Creating an Infinite Session Key
Problem
The user sessions that are created when my users log in expire too quickly. Is there a way to create an infinite session?
Solution
There are two ways to do this:
If your users check the “Keep me logged into [Your App Name]” checkbox when logging into your app, their session with your app will go on forever and always.
You can give users the option of creating a special infinite key code for you by sending them to the URL http://www.facebook.com/code_gen.php?v=1.0&api_key=1234567890, where 1234567890 is your app’s API key (not your app’s ID, but rather the full API key). This will prompt them to generate a key, which they can then give your app and you can pass into the Auth.getSession() as an auth_token. The session_key you get back will survive beyond the sands of time.
NOTE
Web-based Facebook apps used to be automatically granted infinite sessions but now need to manually create them (as of July 15, 2008), the same way that Desktop and Mobile apps have always had to.
Discussion
Infinite session keys are also useful when you have users accessing your app from a third-party site or if you’re using a cron job to process things on a scheduled basis. There’s no way for you to programmatically create an infinite session without expressed consent from your users, which is really for the best. The second option listed in the Solution is the more awkward of the two, since it requires sending them off into a Facebook process that doesn’t automatically return them to your app. If users aren’t logged in when you send them to that URL, they’ll see a login page with the special message shown in Figure 9-5.
Figure 9-5. Session key generator login
After they log in (or if they were already logged in), they’ll see the confirmation page shown in Figure 9-6.
Figure 9-6. Session key generator confirmation
If they click on the Generate button, they’ll get a code they can give you, like the one shown in Figure 9-7.
Figure 9-7. Session key generator code
Note that there’s no way back to your app from that page, so although they now have the code (yay!), they need to figure out how to get back to give it to you on their own (boo!). When they’ve finally hacked their way back through the jungle and made it over the perilous river bridge, grab that code and pass it into a call to Auth.getSession() to produce your fabled infinite session key:
$return = $facebook->api_client->auth_getSession($userCode);
Look in return['session_key'] to find the actual key.
A final note on the true infinite nature of the infinite key. As with all things in life, this is only mostly as good as it sounds. The key doesn’t really last forever: if a user uninstalls and reinstalls your app, her key will expire and she’ll have to go through this again (although this time she’ll have an easier time navigating through the jungle).
NOTE
Facebook’s list of storable items doesn’t include a user’s session_key, but