Facebook access token invalid with message “session does not match current stored session”?

Question

I have recently started getting this error while posting to facebook newsfeed stream of an app user, I do have an offline access permission for the access tokens, and they w

Answer 1

I also faced this issue while accessing the post comments from my command utility. In my case everything was working fine, until suddenly I got the error:

The remote server returned an error: (400) Bad Request.

After diagnosing the problem, I found that the Facebook access token is expiring after a period of time even though I created it with the offline_access option as below:

https://www.facebook.com/dialog/oauth?client_id=[APPID]&redirect_uri=[URL]&scope=user_photos,email,user_birthday,user_online_presence,offline_access

After wasting of lots of time on RND, I found that there is an option in the app's Advanced Settings for Remove offline_access permission. My client had enabled it, and that's the reason my token was expiring. Have look at the image below:

Answer 2

This is undocumented but I just tested it and it works with expired access tokens. Should work on access tokens that have been invalided if you know their user id, and they haven't revoked privileges to your app. First, you can verify that you still have have the permissions you need by calling using this url:

https://graph.facebook.com/userID/permissions?access_token=appID|appSecret

If you still have publish_stream permissions, you can issue a HTTP POST to this url:

https://graph.facebook.com/userID/feed with post parameters of access_token=appID|appSecret&message=test message

Answer 3

There seem to be a lot of questions about why your token would have expired so quickly. I think I can shed some light on that. Here are a number of scenarios I have found which cause this:

There is the obvious one; the user changed his password. There is nothing you can do about this. They will need to reauthorize your app. The rest of these scenarios deal with page tokens, which are similar to a token for a user profile, except they come from querying /me/accounts with the user token of a valid administrator for the page. These seem to expire much more frequently.

It seems that if ANY administrator of a page changes their password (not necessarily the one who's token you are using), this can cause the token to expire. Also, if you have some pages in your system with the same administrator, calling /me/accounts often refreshes ALL of the tokens for the pages this user administrates. That means if you are connecting a new page for a user with existing pages, you will need to update the existing page tokens with the new ones provided by /me/accounts.

Finally, the way I deal with this in my system is to store the admin user and token as a parent of the page token in my database. This way when I need to reconnect a page or add a new page, the system can lookup and update any related page tokens received from /me/accounts. It also allows you to automatically attempt to refresh the token by calling /me/accounts when you receive the expired token exception.

Hope some of this helps!

Answer 4

It's possible for your access token to become invalid for a variety of reasons (expiry time passed, user changed password, user deauthorized your app, user logged out of Facebook, etc.). You should always design to account for this scenario.

If your users are active, it's easy to get a new access token from the OAuth endpoint without them having to do/see anything. If not, you should make a plan (such as emailing them) for how you will get them to return so you can get a new access token. The scenario you're describing is not necessarily unusual. You can find some code samples here for help on how to handle expired access tokens.

Answer 5

The offline session token is changed whenever a user changes his password. If a previously working session suddenly stops (and you're getting that error) then the user's password was changed (probably by the user) and you will need to re-prompt them to grant you offline access and save the new session token you get.

Answer 6

Check out the blog post officially from facebook: How-To: Handle expired access tokens