Well, for one thing, all of the code that would put anything in the session has been commented out. You're doing nothing to maintain your session.

You call [man]session_start[/man] when [font=monospace]index.php[/font] is run, but nowhere else (unless there's something in the Facebook API that does that automatically, which I doubt).

In particular, you never seem to record in the session the fact that the user has logged in (you set [font=monospace]$session[/font] in [font=monospace]index.php[/font], but you don't store it in the session, and you use it in [font=monospace]after-login.php[/font] but you never retrieve it from the session). If you don't make the effort to remember information from one request to the next then it's going to be forgotten.

pjvex wrote:

The problem is I lose variables. I understand include and require, but there is a instantiation of a facebook class that redirects the user after he/she logs in back to a url that you specify, but there is no session data when it returns.

Short answer, there is nothing on [font=monospace]after-login.php[/font] to restore the session state which you (should have) recorded in [font=monospace]index.php[/font]. See [man]intro.session[/man] for an introduction to PHP session handling.

Well firstly, Thank you for your reply... I was beginning to think I was on the "pay-no-mind" list on other similar forums on the web...at least whenever I brought up the Facebook API. So your comments are VERY much appreciated.

Weedpacket;11046625 wrote:

Well, for one thing, all of the code that would put anything in the session has been commented out. You're doing nothing to maintain your session.

I see I chose the newbies forum wisely. I understand the concept of a session from a non-coding perspective, but when I started to write this, it became confusing to me. First... I don't know exactly when to start the session. Does one always do it at the outset of loading a page where authentication will be required? And if that is the case, then according to [man]session_start[/man] a session is created—or the current one is resumed. At one point I had

session_start()

at the beginning of the page after I return from the redirect, and I got an error that said "session already started", so I figured using session_start() more than once should be avoided.

Also, the manual says that session_start() creates a session identifier passed via a GET or POST request, or passed via a cookie. If I call session_start() at the beginning of my index.php, where is it getting its session identifier...or when does it get it?

Weedpacket;11046625 wrote:

You call [man]session_start[/man] when [font=monospace]index.php[/font] is run, but nowhere else (unless there's something in the Facebook API that does that automatically, which I doubt).

No I don't think FB does this automatically.

in index.php, when it gets to this section:

[code=php]//should put this in a function
try {
  $session = $helper->getSessionFromRedirect();
} catch( FacebookRequestException $ex ) {
  $session = null;
  // When Facebook returns an error
} catch( Exception $ex ) {
  // When validation fails or other local issues
  $session = null;
}

[/CODE]

I am simply checking for the possibility that the user may already be logged in. And this is another point of confusion. Just because the user is logged in, this doesn't mean I have received authorization for my "app". However, I try to get $session from the

$helper->getSessionFromRedirect()

which is a method of the FacebookRedirectLoginHelper() class (instantiated immediately above). When would I have the "session identifier" referenced in the manual?

Weedpacket;11046625 wrote:

In particular, you never seem to record in the session the fact that the user has logged in (you set [font=monospace]$session[/font] in [font=monospace]index.php[/font], but you don't store it in the session, and you use it in [font=monospace]after-login.php[/font] but you never retrieve it from the session). If you don't make the effort to remember information from one request to the next then it's going to be forgotten.

But I check to see if the user has logged in within the code block above in index.php. If the user has logged in, I was under the impression that the $session variable had stored the session in the line

$session = $helper->getSessionFromRedirect()

(but of course I could be wrong). If the user has not logged in, I

include login-needed.php;

(NOTE: I renamed fbconfig.php from my last post to login_needed.php as the name no longer made sense)... and it is here where I do a proactive call to get the user to login.

The login_needed.php merely sets up the scope of permissions I want from the user, and then creates the

$loginURL

which goes to Facebook. The user logs in and is returned to my website based on the global $REDIRECT_URL which is passed when instantiating a new FacebookRedirectLoginHelper object in this section from index.php

global $REDIRECT_URL;
$REDIRECT_URL = "http://dev.resultscloud.net/Facebook/NewVersion/after_login.php";
$helper = new FacebookRedirectLoginHelper($REDIRECT_URL);

OK... now we get to the core of my problems... in the after_login.php file. [Incidentally, while I wrote some of this, about 60% of this code came from snippets intelligently pulled from around the web, making sure, of course, they were all the same version of the SDK]. When you arrive at after_login.php, the user has logged in and Facebook has returned the user to your website.

My first question at the outset (more general PHP question): How can I know what variables remain once I get to after_login.php? After all this is a redirect from Facebook... not an include or a require.

But more importantly, I do not understand why there is another object instantiaion from Class FacebookRedirectLoginHelper! Why would I do this a second time?? If I do this in index.php when I am starting the session and preparing to send the user to to go to Facebook and login...this makes sense. But, if in index.php it turns out I don't have a session, then once I send the user to FB to login and return to after_login.php, creating a new FacebookRedirectLoginHelper seems illogical. You can see that this is how it is set up in the section on this Class at the Facebook SDK documentation.

Weedpacket;11046625 wrote:

Short answer, there is nothing on [font=monospace]after-login.php[/font] to restore the session state which you (should have) recorded in [font=monospace]index.php[/font]. See [man]intro.session[/man] for an introduction to PHP session handling.

Plus, if you follow the documentation, it once again does the try..catch block, and attempts to store the $session variable a

$session = $helper->getSessionFromRedirect();

.

However, I did read [man]intro.session[/man] (thank you) and I noticed it said [FONT=Franklin Gothic Medium]Please note when working with sessions that a record of a session is not created until a variable has been registered using the session_register() function or by adding a new key to the $_SESSION superglobal array. This holds true regardless of if a session has been started using the session_start() function.[/FONT]

So as far as keeping the session across the pages, do I need to use session_register()? Or rather check for valid session and then store variables in $_SESSION['xxx'] Superglobals?

Thank you for your help!

OK.. I re-arranged things a bit... and I am going through and attempting to set SESSION variables, but while I should have a session after the POST-GET-REDIRECT to FB and back, I have my redirect return to the same after_login.php as before, but now I check for a $session with

if ( isset( $session)

, and would think I would have one, but the if statement fails and goes to the else.

But what is driving me crazy is the last part... it goes to the

else

so apparently there is no session. From here, I just want to do a

header ("Location: " . $loginUrl)

... But this is what baffles me. I am back from the POST-GET-REDIRECT from FB, and my $loginUrl which I generated originally to send the user to Facebook isn't recognized. At first I thought it might need to be created again (with the proper scope, etc., so I added these two lines from my login-needed.php file... the second line uses the getLoginUrl method explained here.

$scope = array('manage_pages, publish_actions');
$loginUrl = $helper->getLoginUrl($scope);

But it didn't recognize the method.... And I cannot imagine I would have to create a new helper as I have in login-needed.php, like so:

$helper = new FacebookRedirectLoginHelper($redirect_url);
$scope = array('manage_pages, publish_actions');
$loginUrl = $helper->getLoginUrl($scope);

So I tried going back to the login-needed.php file and making the $loginUrl variable a global.

But that didn't work either. I havn't even figured out why I am defaulting to the login again.... and yet the $loginUrl variable isn't recognized!!!!!

I know I am new... But I know how to code... I am just not used to as much HTTP.

Thanks for anyone's explanation on this....

Here are my three files:

index.php

<?php
session_start();
?>
<!doctype html>
<html>
<head>
  <title>Login To Facebook</title>
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css">
</head>
<body>

<?php if (isset($_SESSION['FBID'])): ?>      <!--  After user login  -->
    <div class="container">
      <div class="jumbotron">
        <h1>Thank you For Your Authorization!</h1>
          <h2>Hello <?php echo $_SESSION['USERNAME']; ?></h2>
      </div>
      <br>
      <div class=".text-info .text-center">
      <h2>Welcome to Our App!</h2>
      </div>
        <div class="span4">
          <ul class="nav nav-list">
            <li class="nav-header">Image</li>
            <li><img
            src="https://graph.facebook.com/<?php echo $_SESSION['FBID']; ?>/picture"></li>
            <li class="nav-header">Facebook ID</li>
            <li><?php echo  $_SESSION['FBID']; ?></li>
            <li class="nav-header">Facebook fullname</li>
            <li><?php echo $_SESSION['FULLNAME']; ?></li>
            <li class="nav-header">Facebook Email</li>
            <li><?php echo $_SESSION['EMAIL']; ?></li>
          </ul>
          <a href="logout.php" class="btn btn-info" role="button">Logout</a>
        <br>
      <pre>
      <?php print_r($_SESSION);?>
      </pre>
    </div>
  </div>
<?php else: ?>     <!-- Before login -->
  <div class="container bg-warning">
  <h1>Login with Facebook</h1>
  <h3 class="bg-important">Not Connected</h3>
<!--  <a href="fbconfig.php" class="btn btn-primary" role="button">Proceed to Facebook</a>-->
<?php include 'login_needed.php';
endif ?>
  </div>
  </body>
</html>

login_needed.php

<?php
require 'autoload.php';  //grabs all the classes
require 'functions.php';
use Facebook\FacebookSession;
use Facebook\FacebookRedirectLoginHelper;
use Facebook\FacebookRequest;
use Facebook\FacebookResponse;
use Facebook\FacebookSDKException;
use Facebook\FacebookRequestException;
use Facebook\FacebookAuthorizationException;
use Facebook\GraphObject;
use Facebook\Entities\AccessToken;
use Facebook\HttpClients\FacebookCurlHttpClient;

// start session

// init app with app id and secret
FacebookSession::setDefaultApplication( '968678193151708','f04a8d3ebe82949efbc1215840055df4' );

// login helper with redirect_uri
global $redirect_url;
$redirect_url = "http://dev.resultscloud.net/Facebook/NewVersion/after_login.php";

$helper = new FacebookRedirectLoginHelper($redirect_url);
//Scope to get Extended_Permissions
$scope = array('manage_pages, publish_actions');
// This will be the login URL
global $loginUrl;
$loginUrl = $helper->getLoginUrl($scope);
//should put this in a function
try {
  $session = $helper->getSessionFromRedirect();
} catch( FacebookRequestException $ex ) {
  $session = null;
  // When Facebook returns an error
} catch( Exception $ex ) {
  // When validation fails or other local issues
  $session = null;
}
echo '<div class="text-center"><a href="' . $loginUrl . '" class="btn btn-primary .btn-lg" role="button">Login To Facebook</a></div>'; ?>

and after_login.php

<?php
//require 'header.php';
session_start();
// see if we have a session
if ( isset( $session ) ) {
  // graph api request for user data
  try {
        $request = new FacebookRequest( $session, 'GET', '/me' );
        $response = $request->execute();
        $graphObject = $response->getGraphObject();
      } catch (FacebookRequestException $e) {
         echo "Exception occured, code: " . $e->getCode();
         echo " with message: " . $e->getMessage();
  }
    $fbid = $graphObject->getProperty('id');         // To Get Facebook ID
    $fbfullname = $graphObject->getProperty('name'); // To Get Facebook full name
    $femail = $graphObject->getProperty('email');    // To Get Facebook email ID

  /* ---- Session Variables -----*/
      $_SESSION['FBID']     = $fbid;
      $_SESSION['FULLNAME'] = $fbfullname;
      $_SESSION['EMAIL']    = $femail;
  /* ---- header location after session ----*/
  header("Location: index.php");
} else {
  // $scope = array('manage_pages, publish_actions');
  // $loginUrl = $helper->getLoginUrl($scope);
   header( "Location: " . $loginUrl ); }




// // Extend Access Token
// $accessToken = $session->getAccessToken();
// try {
//   // Exchange the short-lived token for a long-lived token.
//   $longLivedAccessToken = $accessToken->extend();
// } catch(FacebookSDKException $e) {
//     echo 'Error extending short-lived access token: ' . $e->getMessage();
//   exit;
// }

// // Get Page Info since we should have an extended permissions
// $request = new FacebookRequest($session, 'GET', '/me/accounts?fields=name,access_token,perms');
// Chaining methods here:
// $pageList = $request->execute()->getGraphObject()->asArray();
// foreach ($pageList as $page) {
// $pageAccessToken = $page['access_token'];
// }

// $pageToken = $result['access_token'];
// $facebookSession = new FacebookSession($pageToken);
// header("Location: index.php")
//
//   echo "<pre>";
//   print_r($graphObject);
//   $data = $graphObject->getProperty('data');
//   print_r($data);
//   echo "a".$data->getProperty('access_token')."<br>";

//   echo "</pre>";
//   //    $fbid = $graphObject->getProperty('id');              // To Get Facebook ID
//  //     $fbfullname = $graphObject->getProperty('name'); // To Get Facebook full name
//       //$femail = $graphObject->getProperty('email');    // To Get Facebook email ID
//   /* ---- Session Variables -----*/
//       //$_SESSION['FBID'] = $fbid;
//         //$_SESSION['FULLNAME'] = $fbfullname;
//       //$_SESSION['EMAIL'] =  $femail;
//     /* ---- header location after session ----*/
//   //header("Location: index.php");


?>

pjvex;11046639 wrote:

I see I chose the newbies forum wisely. I understand the concept of a session from a non-coding perspective, but when I started to write this, it became confusing to me. First... I don't know exactly when to start the session.

You have to call [man]session_start[/man] before you refer to the $_SESSION variable at all. I.e., call session_start before you either set or attempt to read session variables. The point of session_start is that PHP will try to make working with session variables very easy.

pjvex;11046639 wrote:

Does one always do it at the outset of loading a page where authentication will be required? And if that is the case, then according to [man]session_start[/man] a session is created—or the current one is resumed.

It's important to realize that authentication and a session are distinct concepts. When you authenticate someone, you typically ask for a username/email and a password and you check it against a database table or list of users or something. A session is simply a way to store information specific to some single visitor to give them a consistent experience from one page request to the next. Because HTTP is a stateless protocol, this requires that you pass a token back and forth. This token is usually called a session id and id is typically some random sequence of numbers and/or letters. You generate a random, unique session id for each user and when a user makes any request from your site, they supply this session ID so that you know who is who. The action of sharing this session id is usually accomplished by storing it as a cookie which is automatically delivered to the server with each page request.

Sessions are typically used to store a little information about a user once they have authenticated. Authentication is typically accomplished via a single page request and you remember that they have authenticated by setting some values in session. I usually store a user id and their username.

pjvex;11046639 wrote:

At one point I had

session_start()

at the beginning of the page after I return from the redirect, and I got an error that said "session already started", so I figured using session_start() more than once should be avoided.

You should definitely avoid calling session_start more than once per page request or you will get this error. If you got that error after putting session_start in some file, then that file is probably including some other file (via [man]require[/man] or [man]include[/man]) which calls session_start. You should get a better grip in your scripts and make sure you know which ones are calling session_start and which are not.

pjvex;11046639 wrote:

Also, the manual says that session_start() creates a session identifier passed via a GET or POST request, or passed via a cookie. If I call session_start() at the beginning of my index.php, where is it getting its session identifier...or when does it get it?

Part of the tricky bit here is that PHP does a lot of work for you to make sessions easy and because of this, its inner workings are not always clear. I don't personally know when PHP will create a session id for a visitor. I do know that you should only calll session_start once for a given page request and you should never refer to $SESSION before you have called session_start. Note that $SESSION, which is a standard superglobal variable is not the same thing as $session, which is just some ordinary variable name that you can define if you like, but it will not contain any session values unless you execute code that puts values there.

pjvex;11046639 wrote:

try {
  $session = $helper->getSessionFromRedirect();
} catch( FacebookRequestException $ex ) {
  $session = null;
  // When Facebook returns an error
} catch( Exception $ex ) {
  // When validation fails or other local issues
  $session = null;
}

This $session var is apparently being populated with some value defined by the PHP SDK offered by Facebook. I'm not personally familiar with this SDK -- I tried working with FB some time ago and found it to be poorly documented. I was also frustrated by the way that they seem to frequently change things without warning at Facebook. If you want to see what is in this object, you can always do this:

var_dump($session);

If you want help more specifically about the FB API then you might consider looking into an official community.

pjvex;11046639 wrote:

I am simply checking for the possibility that the user may already be logged in. And this is another point of confusion. Just because the user is logged in, this doesn't mean I have received authorization for my "app". However, I try to get $session from the

$helper->getSessionFromRedirect()

which is a method of the FacebookRedirectLoginHelper() class (instantiated immediately above). When would I have the "session identifier" referenced in the manual?

Again, I'm a bit out of my depth here, but I would imagine that you are incorrectly simplifying "user may already be logged in." In some cases, you'll need to check if a visitor is logged into facebook. In other cases, you may want to store data related to users on your site because they are accessing your site and not the FB site. It's not entirely clear to me how FB authenticates or confirms to your server whether a user is logged in or not. Sounds like you'll need to know more about this to proceed.

But I check to see if the user has logged in within the code block above in index.php. If the user has logged in, I was under the impression that the $session variable had stored the session in the line

$session = $helper->getSessionFromRedirect()

That line of code doesn't store the $session variable. It simply defines it for the duration of the current page request. Once the user requests some other page, the var $session will have to be initialized all over again by calling some suitable function. You may or may not need to store something in $_SESSION (the official PHP variable for storing session values) so that when the next page request is executed, it can find some nugget of information that helps you define $session.