Update: Facebook application missing session key on first visit


There are still some issues with facebook flash api vs. facebook communication. Some of them, you as an application developer, will never get into, but general user will. For example, when new user comes into your facebook iframe flash application for a first time, the first thing he see is “Allow Access?” window:


After clicking “Allow”, you should serve user your flash app. But, notice there is no fb_sig_session_key parameter in facebook iframe src. So you wount be able to verify user session with:


… and new window is opened instead (that handles the session) so users get confused…

Solution 1

After some thinking I came to this idea. Once user allowed your app, it is enough to refresh page and the session parameter is available, this can be done in javascript:

FB.Bootstrap.requireFeatures(["Connect"], function(){
    FB.Facebook.init(api_key, xd_receiver);

    // open facebook "Allow Access" window:
    FB.Connect.requireSession(function() {
        // user clicked on "Allow"
        // ask for fb_sig_session_key parameter if not found
            // lets ask for it with simple refresh
            top.location =  "http://apps.facebook.com/MYAPPNAME/";
            // we have fb_sig_session_key, ready for flash app

// support function, you can use your own test
function getRequestParameter(name){
    name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
    var regex = new RegExp("[\\?&]" + name + "=([^&#]*)");
    var results = regex.exec(window.location.href);
    return results == null ? "" : results[1];

Solution 2

Update: I just discovereded, there is a cleaner solution, as the authorizing application spec says. It states there that:

Facebook passes the following parameters to your application when a user interacts with your application:
fb_sig_added: If set to true, then the user has authorized your application.

Facebook passes the following parameters only if fb_sig_added is true (that is, if the user has authorized your application):
fb_sig_session_key: …

Facebook offers server side or client side login request (read section How Users Can Authorize an Application) in combination with Post-Authorize Redirect URL. Solutions works this way:

  1. new user comes to your app
  2. your app (client side or server side) redirects user to original facebook page where user can authorize your application (see image)
  3. after authorization user is redirected to your app again (Post-Authorize Redirect URL used, typically, you want to make this URL your canvas page)
  4. BEHOLD user is back on your app with fb_sig_session_key

Here is some code for server side redirect:

require_once 'facebook.php';

$appapikey = 'YOUR API KEY';
$facebook = new Facebook($appapikey, $appsecret);
$user = $facebook->require_login();

… or use client side (FBML) code to redirect:

  <!-- your normal code -->
   <fb:redirect url="http://www.facebook.com/login.php?v=1.0&api_key=[your_app_key]&next=[your_canvas_page_URL]&canvas="/>

10 comments so far

  1. […] See the original post here: Update: Facebook application missing session key on first visit at … […]

  2. Judith Hilinski December 19, 2009 02:03

    What is the problem with facebook? I can’t get onto my page because a stupid privacy announcement won’t move on to the next page. I am so frustrated.

  3. Jozef Chúťka December 19, 2009 11:21

    does it have something to do with facebook application or your profile page?

  4. vijay March 26, 2010 08:50

    i want to share comment on facebook without validating. is it possible?

  5. Jozef Chúťka March 28, 2010 13:42

    hi vijay. what do you mean by without validating?
    you can always use sharer.php in popup window, read

  6. vijay March 30, 2010 15:45

    When i click on allow publish button on facebook authorize page then i want to get some respond on flex.
    Because When user allow the publish permission after that i post the comments.
    Anybody have idea how it is possible?

  7. vijay March 30, 2010 15:50

    i don’t know how to check user permission. There is a ActionScript(FLEX) Facebook function to check if user have a permission?

    User allow the for publishing or not or user decline the permission or close the window without allow?

  8. Jozef Chúťka March 30, 2010 16:53

    Hi vijay,
    make it this way
    1. try publish something
    2. if error occurred (missing permission), make javascript call (FB.Connect.showPermissionDialog) to open permission dialog (it opens over flash make your flash wmode opaque), more about showPermissionDialog here http://blog.yoz.sk/2009/10/fb-connect-showpermissiondialog/
    3. second argument for FB.Connect.showPermissionDialog(permission, callback) is callback function with result.
    4. If result is granted permission, make this javascript callback function call your flash to retry publishing post

    to test extended permissions via actionscript api, use HasAppPermission class (com.facebook.commands.users.HasAppPermission)

  9. vijay March 31, 2010 13:17

    Thanx Jozef
    I understand the flow.
    But i m new in flex.
    Can u please give me the demo application with source code. I m little confusing java script with flex.

    Thank You Jozef.

  10. Jozef Chúťka April 1, 2010 09:48

    vijay, I am affraid I won’t have time for that 🙁
    in this case javascript is meant to be ran on html (facebook connect api)

Leave a comment

Please be polite and on topic. Your e-mail will never be published.