Facebook Connect (C# SDK) - How to See if User is Authenticated to FB, But Don't Force?

Question

I'm implementing a single sign on between Facebook Connect and my ASP.NET MVC 3 website, using the Facebook C# SDK.

Now, part of the single sign on is:

If the user is authenticated to Facebook, but not to my website, see if they are connected in my system and if so, perform a single sign on (using Forms Auth).

Now, i don't know how to "see if the user is authenticated". I'm using OAuth for server-side authentication, so i don't want to force them to sign in via the login page, just a silent check. If they're not authenticated, i wont do anything - i'll just wait for them to click the "Connect with Facebook" button.

We can do this with the JavaScript API - can we do it server-side?

I basically want the equivalent of FB.getLoginStatus via the Graph API.

Surely there must be a way server-side - at least if not via the Graph API, the old REST api or FQL?

Answer 1

You can (ab)use the HTTP status codes to find that information about Facebook, the technique is described here

https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information

Answer 2

After days of hunting around the net, including the Graph API, old REST API, FQL, etc - it seems the JavaScript SDK is the only one that allows this information without having a access token beforehand.

So, i had to use the JavaScript SDK:

<div id="fb-root"></div>
<script type="text/javascript">
    window.fbAsyncInit = function () {
        FB.init({ appId: 'xxxxxxx', status: true, cookie: false, xfbml: false
        });
        FB.getLoginStatus(function (response) {
            if (response.session)
                window.location = '/Facebook/LogOn'
        });
    };
    (function () {
        var e = document.createElement('script');
        e.async = true;
        e.src = document.location.protocol + '//connect.facebook.net/en_US/all.js';
        document.getElementById('fb-root').appendChild(e);
    } ());
</script>

Basically, i first load the JS API aysynchonrously to avoid blocking.

I then see if the user has a Facebook session. If they do, i redirect to my FacebookController, which does the OAuth redirect (which will come back straight away with the token - since they're already auth'ed), with then sets my own cookie.

My global action filter then kicks in, sees there is a cookie, and logs the user in. Nice.

Note how i have cookie: false - this is because i'm tracking my own cookies for the OAuth token and FB ID.