Announcement Announcement Module
Collapse
No announcement yet.
How to check/get currently logged in facebook user? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to check/get currently logged in facebook user?

    Hi,
    After long googling, I found that spring social only supports oauth authentication/authorization flow.
    However, it doesn't support features like "checking whether a facebook user is currently logged-in or not".
    Google supports similar feature using google user service.

    If we sign in using google users service, then we can get currently logged-in google user information.
    If google user sign-out, then google's user service returns null.

    My requirement is to make my site accessible only if there is an active login in facebook (browser).
    If user signs out of facebook, then my site should be show "facebook" sign in button.

    I think fb supports client-side authentication to do the above requirement. But, I need the same logic to happen in backend server.

  • #2
    You're right, Spring Social doesn't support that. Spring Social only knows whether or not the user has connected with Facebook and then, using that connection, you can fetch the user information. But whether a user has created a connection and whether or not they're logged into Facebook are two different things.

    The client-side stuff deals with this easily by considering whether or not a certain cookie value is available. I suppose it's possible for the server-side to do the same thing...and you might try using Spring Social Facebook's @FacebookCookieValue annotation in a Spring MVC controller to see if it gives any clues as to when a user is logged in or logged out of Facebook. I've not tried using @FacebookCookieValue for that purpose, but if you try it out please let us know here in the forums what you find...I'd be interested in knowing whether or not it can tell you a user's logged-in status with FB.

    Comment


    • #3
      Originally posted by habuma View Post
      You're right, Spring Social doesn't support that. Spring Social only knows whether or not the user has connected with Facebook and then, using that connection, you can fetch the user information. But whether a user has created a connection and whether or not they're logged into Facebook are two different things.

      The client-side stuff deals with this easily by considering whether or not a certain cookie value is available. I suppose it's possible for the server-side to do the same thing...and you might try using Spring Social Facebook's @FacebookCookieValue annotation in a Spring MVC controller to see if it gives any clues as to when a user is logged in or logged out of Facebook. I've not tried using @FacebookCookieValue for that purpose, but if you try it out please let us know here in the forums what you find...I'd be interested in knowing whether or not it can tell you a user's logged-in status with FB.
      Hi ,
      I really appreciate your reply.
      One more thing I noticed is that if I log into my website using google account, and if log out of actual google.com website, then the google's userservice api still says that the user is logged-in my website. So, whatever I said above regarding google's userservice is wrong.

      So, google's userservice api might be using cookie based approach which is similar to spring-social signin.
      Actually, this cookie based approach is good as it avoids extra webservice call to fb to check login status.

      The only disadvantage is that user has to explicity signout of my website. Just signing out of facebook website doesn't mean that user has signed out of my website.

      I have one question regarding cookie based approach. I am using spring security with default 'JSESSIONID'
      cookie generator. And, I am using providerUserId to generate cookie, as I don't want one more level of signup for the user to provide password in my website.
      In this approach, an hacker can tweak the encoded cookie value in all possibilities to match any other providerUserId. Since, my rest api's are using this cookie value(via spring security) to find userId, I think there is security hole here. How can I avoid this situation?.
      I also need to know whether spring security has any feature to take care of CSRF attack.

      Comment

      Working...
      X