Facebook PHP SDK for Canvas and FB Login

Posted: January 10th, 2011 | Author: | Filed under: Facebook, PHP | Tags: , , , | Comments Off on Facebook PHP SDK for Canvas and FB Login

This is a short article on how to best implement the Facebook PHP SDK for two integration methods: Canvas applications and external websites offering Facebook Login to their visitors. The difference is not very well documented in the example provided with the SDK.

Facebook Login (previously Connect)

This method is used by external websites, offering their visitors an easy method of registration and login, using their Facebook account. As shown in the example code provided with the SDK, we first create an instance of the facebook class, which we use to retreive a session.

We will not find a session in two cases:

  1. The visitor has not authorised the website in the past
  2. The method getSession() cannot find the signed_request or session variable in the $_COOKIE or $_REQUEST variables

To be sure that the visitor has not authorised your application in the past, we transfer the visitor to Facebook using the method getLoginStatusUrl(). This will header the visitor to Facebook, which in turn headers the visitor back to the referring URL including a $_REQUEST[‘session’] variable, if the visitor has indeed authorised in the past. Be sure to build in a check to only check this once a session, otherwise this will result in a loop if the user is unknown.


When using Facebook Canvas (a website iframed within Facebook), the requested page within the iframe is always provided a signed_request which the SDK uses to build a “session”. This means that we always know whether the visitor is an authorised user or not, making the getLoginStatusUrl() superfluous. If we can’t find a session (getSession()), or we can’t find “/me“, the user has not authorised and we need to present the authorisation button.

The following graphic depicts the flow for both cases:

Of course, the above can also be established with the Javascript SDK, but a little dedudancy won’t do any harm. And the getLoginStatusUrl method is probably a lot quicker than the JS variant.

Comments are closed.