Logged in from Multiple Locations

Not sure if this is an appropriate place to ask this question, but here goes. I have a facebook app that uses both FBML and iframes embedded into the page. After some digging in, I’ve observed the following behaviour. User logs in to my application through facebook on machine A. A session is created. When the user clicks on an ajax link in the iframe from machine A (which has a different controller), the same session key gets passed, and everything is OK. Now the user logs into a second machine via facebook (scenario is they were logged in at work, go home, and log in there). When the user comes through the main page, the session key is the same as the session key from machine A, and everything is fine. but when the user clicks on an ajax link in the the iframe from Machine B, a different session key ends up at the server, and my controller ends up thinking the session is empty. Here are the calls logged in the debugger to illustrate – the first 2 are from machine a, the second from machine b:

Processing MainController#iframemyalbumstab (for 24.19.16.153 at 2008-10-09 03:41:13) [GET] Session ID: fe5049310b22b52b81fdcfa2-648283168
Processing LtrsController#populate_filters (for 24.19.16.153 at 2008-10-09 03:41:32) [POST] Session ID: fe5049310b22b52b81fdcfa2-648283168

Processing MainController#iframemyalbumstab (for 24.19.16.153 at 2008-10-09 03:41:53) [GET] Session ID: fe5049310b22b52b81fdcfa2-648283168
Processing LtrsController#populate_filters (for 24.19.16.153 at 2008-10-09 03:42:30) [POST] Session ID: 832eb578a1663fd9efe3fa1d141a9efb

Wow, that is an obscure problem! What does the FBML for the iframe looks like on Computer B? It sounds like it either isn’t including the session parameters or it is getting them confused somewhere.

What session store are you using?

Mike

Well, I’m glad that this isn’t something obvious, given the headbanging I’ve been doing (note this is my first Rails app and my first Facebook app, so it’s easily possible I’m doing something stupid).

I’m using the active record session store: config.action_controller.session_store = :active_record_store

The FBML for a given tab looks like this:

<fb:iframe src="<%=$APP_ROOT%>iframefriendsalbumstab" smartsize="yes" scrolling="no" frameborder="0"> </fb:iframe>

<h1>Friend's Albums</h1>
  <SELECT id="friends_wanted" name="friends_wanted" 
                onChange="do_js_get_friends_albums(this.value,'friends_albums');"> 
  <% for friend in @friends %>  
      <option value=<%=friend.value%> ><%=friend.name%></option>
  <% end %>
  </SELECT>

function do_js_get_friends_albums(fb_chosen_friend) {
  $('hide_filter_controls').show();
  do_js_start_load('friends_albums');
  new Ajax.Updater('friends_albums', '/ltrs/get_friends_albums?page=1&fb_chosen_friend='+fb_chosen_friend, {asynchronous:true, evalScripts:true, onComplete:function(request){do_js_finish_load('friends_albums')}});
  return false;
}

And yes, I know I’m not using the rails helpers to create the AJAX calls, but I end up having upwards of 500 or so links on a given page, and I found that the perf was a bit of a killer when I used the helpers.

I was also curious why I had the same session key being used on 2 different machines – it almost seemed like it should have generated a new session for the first call on machine b….

OK, well, I sort of solved it, so at least now I can ask a more specific question. The issue was that the browser on machine b wasn’t setting the cookie. It was a fresh install of Safari, and it only accepted cookies for sites you directly navigate to. Why it didn’t consider this scenario a direct navigation I don’t know, but once I set it to always accept cookies it was fine. Looks like the session key itself gets passed in the cookie through the iframe, which is what makes it work. On firefox everything was cool.

So I guess I have a different question – if I can’t rely on them passing it through a cookie from the client, is there an accepted way to pass the session key back and forth so my users don’t hit this problem, or should I just handle the error gracefully and tell them to turn cookies on?

There was just another question about this same issue. I honestly don’t know of a good way to handle this.

K – I did some more browsing around the web, and found the following article. Haven’t had a chance to try it yet, but it seems promising:

http://wcrawford.org/2007/08/29/revisited-faceb…