问题
I'm implementing a single sign on between Facebook Connect and my ASP.NET MVC 3 website, using the Facebook C# SDK.
Now, part of the single sign on is:
If the user is authenticated to Facebook, but not to my website, see if they are connected in my system and if so, perform a single sign on (using Forms Auth).
Now, i don't know how to "see if the user is authenticated". I'm using OAuth for server-side authentication, so i don't want to force them to sign in via the login page, just a silent check. If they're not authenticated, i wont do anything - i'll just wait for them to click the "Connect with Facebook" button.
We can do this with the JavaScript API - can we do it server-side?
I basically want the equivalent of FB.getLoginStatus via the Graph API.
Surely there must be a way server-side - at least if not via the Graph API, the old REST api or FQL?
回答1:
You can (ab)use the HTTP status codes to find that information about Facebook, the technique is described here
https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information
回答2:
After days of hunting around the net, including the Graph API, old REST API, FQL, etc - it seems the JavaScript SDK is the only one that allows this information without having a access token beforehand.
So, i had to use the JavaScript SDK:
<div id="fb-root"></div>
<script type="text/javascript">
window.fbAsyncInit = function () {
FB.init({ appId: 'xxxxxxx', status: true, cookie: false, xfbml: false
});
FB.getLoginStatus(function (response) {
if (response.session)
window.location = '/Facebook/LogOn'
});
};
(function () {
var e = document.createElement('script');
e.async = true;
e.src = document.location.protocol + '//connect.facebook.net/en_US/all.js';
document.getElementById('fb-root').appendChild(e);
} ());
</script>
Basically, i first load the JS API aysynchonrously to avoid blocking.
I then see if the user has a Facebook session. If they do, i redirect to my FacebookController
, which does the OAuth redirect (which will come back straight away with the token - since they're already auth'ed), with then sets my own cookie.
My global action filter then kicks in, sees there is a cookie, and logs the user in. Nice.
Note how i have cookie: false
- this is because i'm tracking my own cookies for the OAuth token and FB ID.
来源:https://stackoverflow.com/questions/5508057/facebook-connect-c-sdk-how-to-see-if-user-is-authenticated-to-fb-but-dont