Chidambaram's Blog

Tom, I read the blog you posted initially about the logout problems you guys have. Here are my comments about what you said in your blog. This is only my theory ..I never tried this myself though.

After some Googling for simulating a POST with PHP it still didn’t work. Why? How would Facebook know which user clicked to log out if the request for it comes from a people.emich.edu server? There is no user variable which can be attached to the logout string

I still think simulating a POST (to facebook logout page) within your PHP should work. Because you are creating the facebook session within your MYB session, facebook session is implicitly "owned" by MYB session. Every request you make to facebook after a "login" is in the context of this session.

In general, when a user logs out...the session is invalidated and cannot be used anymore. There is no user variable attached to logout requests because, a session is always tied to one and only one user.

How would Facebook know which user clicked to log out if the request for it comes from a people.emich.edu server? There is no user variable which can be attached to the logout string. Suppose 10 people are logged in simultaneously at MapYourBuddies and one wants to log out; how can Facebook perform the logout from the server side without any reference to the user?

If 10 users are logged in to MYB ...there are 10 MYB session holding a reference to 1 facebook session each (remember ?..you woud've called facebook login 10 times). So, your MYB sessions are always mapped 1 to 1 with facebook session. Since facebook uses session_cookies (mentioned in their privacy policy) to keep track of the session, you don't have to differentiate between the users when posting to facebook logout page. All they need to know is ..the session to invalidate.