Storing Facebook Info in ASP.NET: Session, Cookies or Identity?_问答_开发者

Storing Facebook Info in ASP.NET: Session, Cookies or Identity?

开发者 https://www.devze.com 2023-04-10 08:13 出处：网络

So, simple question: After the user authorizes my app (OAuth 2.0), i do a call to the Facebook Graph API to fetch their details.

So, simple question:

After the user authorizes my app (OAuth 2.0), i do a call to the Facebook Graph API to fetch their details.

So at this point in time, i have their Facebook ID, an access token for API calls, their email, and some other basic info.

I'm working on an ASP.NET MVC 3 web application, that uses Forms Authentication and a custom ticket to store extra data.

A lot of examples i've seen has shown storing the info in Session.

Is this 开发者_StackOverflow中文版wise? Because i'm working on a single-sign-on (e.g users can "sign in" to my website with Facebook Connect), i only really "care" about their Facebook info if they are already logged-in to my website.

With that in mind - i'm wondering if it's worthwhile segreating the info across different persistence mechanisms.

For instance, since the Facebook ID doesn't change, i could store that in the Forms Authentication ticket, and perhaps store the access token in a cookie, with the expiry set to the expiry received in the HTTP response.

How do people go about storing Facebook information in an ASP.NET (MVC - but not specifically limited to) application?

Don't store facebook info in a session. javascript SDK saves for you a special cookie called fbsr_APP_ID with a signed_request, so you can verify all requests to your server and obtain neccessary info. Most of the API calls you can do from javascript API to facebook.

You can always check on any page of your app if the user is logged in with FB.getLoginStatus
https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/

If user is not logged in you can use FB.login to login: https://developers.facebook.com/docs/reference/javascript/FB.login/

Storing info in sessions is not scalability-wise. It takes memory on your server, etc.

hope this helps

EDIT: Just to add to the above: don't store any info beyond uid and access token in any persistent storage, basic info from graph API "me" for example might be stored in a database. For the needs of UI basic things like name and picture might be constructed within UI with the help of XFBML tags and urls, etc. Javascript API is also responsible to save a cookie with signed_request which might be verified on the server.

You can put whatever you want in userData:

 var ticket = FormsAuthenticationTicket(int version, string name, DateTime issueDate,
    DateTime expiration, bool isPersistent, string userData, string cookiePath);

If you create a little class to hold the Facebook properties you need, you can serialize it to a Base64 encoded string and store that in the Roles property of the FormsAuthentication Ticket (the cookie).

I decided to use a mix of Session and the Forms Auth ticket.

In the ticket, i store the user's Facebook ID, as this does not change.

However, i also need to store if the user is currently authenticated to Facebook (just a basic flag) and the OAuth token.

It doesn't make sense to store this data in the cookie, because if they logged out of Facebook or the OAuth token expires, i'd then either have to update the cookie or sign them out of Forms Authentication.