How can one securely log users in automatically after previous Facebook authentication?

Question

Users are complaining they have to login too frequently. If authentication is entirely built on Facebook OAuth, how can a user be logged in automatically the next time they

Answer 1

Make use of the JS-SDK FB.getLoginStatus() method:

FB.getLoginStatus(function(response) {
  if (response.authResponse) {
    // logged in and connected user, someone you know
    // reload page or use ajax to update content of page
  } else {
    // no user session available, someone you dont know
  }
});

Answer 2

Other than instructing the users to check the "keep me logged on to Facebook" checkbox, the simplest way is to set a cookie of your own which contains identifying information. Naturally there is a security concern here regarding multiple users on one computer, but it's pretty common practice and most users/sites find it perfectly acceptable.

The only thing you have to be really careful about is that your cookie value uniquely identifies the user and cannot be counterfeited by a different user. Since you are using offline_permission tokens, you could even use that as a part of a cookie value since it is already unique to each user and "unguessable" by other users. Other options would be an md5 composed of the userid plus some secret string, or even a completely random string that is stored in your db and linked to the local userid.

When the user explicitly logs off, you just clear the cookie and the user will have to authenticate again the next time around.

And just to be clear, I am interpreting your question as regarding authentication (identification) only, not authorization (permissions), since you mentioned having offline_access already granted.