Facebook Integrated Login


#1

I just went to check why I was seeing so many errors related to the Facebook Login Integration and found:

Which I think means that the login sessions have been forcibly terminated from the Facebook end.

It looks to me like out login integration code doesn’t handle this very well: someone tries the Facebook login, and is granted a token by Facebook which doesn’t match the one we have on file. We “trust” (in the technical sense) Facebook, so if there wasn’t an existing token it wouldn’t be a problem and we’d log them in, but right now we notice that the code supplied doesn’t match the one we were expecting and just log the error and don’t let them in.

Not all Facebook accounts are affected (which is why I couldn’t work out why there was a problem because it worked for me)

stage = "select credential";
userCredential = sec.UserCredentialSelectByUserName(service.UserData.UserId);
if (userCredential != null)
{                                            
// ok NOW we have a problem. 
// a user credential exists for this UserId
// but we already tried to log in with this userid and the password we got back from google
// and that failed. So that means that the credential we have in our database doesn't match the one
// we got back. 
// We trust the one we got back... but... the one in our database is there for a reason, 
// doesn't seem like we should ignore it. 
// And, we don't expose API methods to delete user credentials for sessions we're not logged into
// or to change the password unless we have the old one
// and I don't think we should.
Logger.Write(String.Format("Login Failed for {0} {1}: UserCredential exists but password doesn't match. {2}", service.UserData.UserId, service.UserData.Email, id), LogCategoryEnum.SecurityLogin, System.Diagnostics.TraceEventType.Critical);
}

In the next version the code will be changed to trust the new value and log the user in without complaining.


#2

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.