Tom,
I read the comment (repeated below) you wrote about my earlier response.
Thanks Chidambaram! The problem is that no session is attached to the logout.php. You could even call the logout PHP without being logged in-- How should Facebook know that it comes from you when the call originates from the server and not from your browser... And we somehow need to tell Facebook that we are logged out... If you only invalidate the session object on the client side this will not be enough?
If you call facebook's logout php it'll get the session information from the request object that you are implicitly sending (by posting to their logout page) and facebook invalidates the session as part of the logout process.
In general, a logout process will never require a userid / username. All that server cares about is the session. Even if you want to persist some user data to the database or something ...you get the user info from the session...and not as a parameter. Try this ...open your browser and login to facebook....open another browser and again login to facebook. These are two different sessions. Even if you logoff from one of these, the other will still function. That means regardless of who the logged in user is, the facebook server just kills the session tied to that browser and nothing more.
You still need to invalidate your MYB session in your PHP (not in your client) after calling facebook's logout page
Recent Comments