You are here

Home » API reference » Drupal for Facebook 6.2 » fb_settings.inc

function fb_settings_session_helper in Drupal for Facebook 6.2

Forces the session_name and session_id to be appropriate when Facebook controls the session. Call this function from custom session_inc files, before session_start() is called.

1 call to fb_settings_session_helper()
fb_session.inc in ./fb_session.inc
This file is a replacement for Drupal's session.inc. Although not truly a replacement, as we include the default session.inc to do the heavy lifting. In this file we set up some variables and functions to handle facebook-controlled sessions.
1 string reference to 'fb_settings_session_helper'
fb_session.inc in ./fb_session.inc
This file is a replacement for Drupal's session.inc. Although not truly a replacement, as we include the default session.inc to do the heavy lifting. In this file we set up some variables and functions to handle facebook-controlled sessions.

File

./fb_settings.inc, line 69
This file is to be included from your sites/.../settings.php file.

Code

function fb_settings_session_helper() {
  if (isset($_REQUEST['fb_sig_api_key'])) {

    // It's a canvas page or event callback.
    fb_settings(FB_SETTINGS_APIKEY, $_REQUEST['fb_sig_api_key']);
    fb_settings(FB_SETTINGS_TYPE, FB_SETTINGS_TYPE_CANVAS);
    if (isset($_REQUEST['fb_sig_session_key'])) {

      // User has authorized the app, facebook controls session.
      fb_settings(FB_SETTINGS_SESSION_KEY, $_REQUEST['fb_sig_session_key']);
    }
    elseif (isset($_REQUEST['_fb_fromhash'])) {

      // _fb_fromhash is a cryptically named parameter sometimes appended to URLs on canvas pages.
      // If present, it can be used as a session for users who have not even authorized the app.
      fb_settings(FB_SETTINGS_SESSION_KEY, $_REQUEST['_fb_fromhash']);
    }
  }
  elseif (variable_get('fb_session_cookieless_iframe', FALSE) && function_exists('_fb_settings_parse') && ($session_key = _fb_settings_parse(FB_SETTINGS_CB_SESSION))) {

    // In special cases we embed the session key in the URL.
    // This is one way to force a session when a browser will not accept a cookie from an iframe.
    if ($label = _fb_settings_parse(FB_SETTINGS_CB)) {
      if ($apikey = db_result(db_query("SELECT apikey FROM {fb_app} WHERE label='%s'", array(
        $label,
      )))) {
        fb_settings(FB_SETTINGS_APIKEY, $apikey);
        fb_settings(FB_SETTINGS_LABEL, $label);
        fb_settings(FB_SETTINGS_SESSION_KEY, $session_key);
        fb_settings(FB_SETTINGS_TYPE, FB_SETTINGS_TYPE_CANVAS);
      }
    }
  }
  else {

    // Were not in a canvas page.
    // We might be in a facebook connect page.  We have to inspect cookies to make sure.
    // Note variables initialized after session.  We can't use variable_get.
    $apikey = isset($conf['fb_connect_primary_apikey']) ? $conf['fb_connect_primary_apikey'] : NULL;
    if ($apikey) {

      // Set $conf['fb_connect_primary_apikey'] for more efficent and reliable cookie inspection.
      if (isset($_COOKIE[$primary_apikey . '_session_key'])) {
        fb_settings(FB_SETTINGS_APIKEY, $apikey);
        fb_settings(FB_SETTINGS_SESSION_KEY, $_COOKIE[$apikey . '_session_key']);
        fb_settings(FB_SETTINGS_TYPE, FB_SETTINGS_TYPE_CONNECT);
      }
    }
    else {

      // Less efficent and more error prone cookie inspection.
      $session_key = '';

      // TODO: make this more efficient.
      foreach ($_COOKIE as $key => $value) {
        if ($pos = strpos($key, '_session_key')) {
          $apikey = substr($key, 0, $pos);
          $session_key = $value;
          break;
        }
      }
      if (isset($apikey)) {
        fb_settings(FB_SETTINGS_APIKEY, $apikey);
        fb_settings(FB_SETTINGS_SESSION_KEY, $session_key);
        fb_settings(FB_SETTINGS_TYPE, FB_SETTINGS_TYPE_CONNECT);
      }
    }
  }

  // By default Drupal will name the session based on the $cookie_domain.
  // When facebook controls the session, we need a different name.
  if (!isset($_REQUEST['fb_session_no']) && fb_settings(FB_SETTINGS_APIKEY) && fb_settings(FB_SETTINGS_TYPE)) {

    // Set session name differently for each app.

    //session_name('SESS' . fb_settings(FB_SETTINGS_TYPE) . md5(fb_settings(FB_SETTINGS_APIKEY))); // not sufficient!

    // In fb connect, one user may log out of facebook, and another log in
    // using same browser.  We never get a logout event! For this case we must
    // make session names different.
    session_name('SESS' . fb_settings(FB_SETTINGS_TYPE) . md5(fb_settings(FB_SETTINGS_APIKEY) . fb_settings(FB_SETTINGS_SESSION_KEY)));

    // unique to session, if known.
    if (fb_settings(FB_SETTINGS_TYPE) == FB_SETTINGS_TYPE_CANVAS && fb_settings(FB_SETTINGS_SESSION_KEY)) {

      // Spoof a cookie, and make it the same for both FBML and iframe canvas pages.
      $session_id = 'fb_canvas_' . md5(fb_settings(FB_SETTINGS_APIKEY) . fb_settings(FB_SETTINGS_SESSION_KEY));
      session_id($session_id);
      $_COOKIE[session_name()] = $session_id;
      fb_settings('fb_session_id_force', $session_id);
    }
  }

  // Also disable Drupal's caching, because a 'connected' user is not truly anonymous.
  if (fb_settings(FB_SETTINGS_SESSION_KEY)) {
    $GLOBALS['conf']['cache'] = 0;
  }
}