Hi,
I have a tricky situation which I hope to gather opinions / feedbacks / solutions.
I have a website which only utilizes Facebook Login as its authentication mechanism. Here’s my login flow:
[list=1]
[*]User arrives at /site/index
[*]The requested Action runs
Facebook::getUser()
to see if the user is logged in.
[*][list=a]
[*]If a valid facebookid is returned, i use
User::model()->find('facebookid=:facebook')
to retrieve the user.
[*]If facebookid = 0, I create a new User model and save the facebookid in DB
[/list]
[*]I create a new FacebookUserIdentity (extends CUserIdentity) based on the facebookid and runs the
FacebookUserIdentity::authenticate()
. The authenticate() checks against the DB for this facebookid and attempt to do a
Facebook::api('/me', 'GET')
to ensure the access_token is valid.
[*]I login the user with
Yii::app()->user->login($identity);
[/list]
Now the problem is, when the user logs out of Facebook, he isn’t logged out of my website because Facebook and my website is maintaining separate session. The CWebUser checks that the user is logged in by checking against the session. In my case, I need to try
Facebook::api('/me', 'GET')
in order to ensure a valid login / access_token.
I’m thinking of creating another class where CWebUser checks against session to check against
Facebook::api('/me', 'GET')
. But i am not sure where i should start.
My last resort is not to use Yii’s authentication / authorization component and just check with
Facebook::api('/me', 'GET')
on every action that requires a valid genuine user login.
I am new with Facebook and Yii… Any help is appreciated.
Cheers,
11th