Facebook v4a Does Not Completely Logout User

Corona Marketplace Facebook v4
#1

Corona 3177 / Xcode 9.1 / iOS SDK 11.1

When using the Facebook v4a plugin, once a user is logged in, there doesn’t appear to be any way to log in as another user, short of deleting and reinstalling an app.

This can be tested using the sample Facebook app. After tapping Logout, and even after completing closing (force quitting) the app, the next time you tap Login, you get a “Continue” dialog, rather than an opportunity to enter your email and password again.

It seems the plugin is caching/remembering the user, even if the access token is reported as nil.

Searching the forums, it appears that engineering fixed a similar issue in a previous version of the plugin:

https://forums.coronalabs.com/topic/42051-does-facebooklogout-actually-do-anything/?p=224735

The token was actually being cached, and Logout was not clearing it. 

Tested on an iPad Mini, running iOS 11, official Facebook app not installed, and Facebook not logged in Safari.

#2

Anyone?

Rob?

#3

I thought we had fixed it or at least had it assigned to someone.  I’ve asked Engineering for an update.

Rob

#4

Rob, any update?

This seems like a pretty big deal, not to mention potential security risk, when the newest version of the Facebook plugin is unable to completely logout the user.

Facebook Platform Policy requires that developers Provide a “Log Out” option that functions properly and is easy to find.:

https://developers.facebook.com/policy/#login

They reiterate this in their Best Practices:  https://developers.facebook.com/docs/facebook-login/best-practices#loggingout

Once people are logged in, you should also give them a way to log out, disconnect their account, or delete it all together. In addition to being a courtesy, this is also a requirement of our Facebook Platform Policy.

#5

Rob, have you received an update from Engineering?

#6

Not yet, I’m re-asking.

#7

We don’t store any facebook information, just invoking Facebook SDK calls. I will check what is going on there.

#8

Vlad, any update on this?

Can you confirm what I’m seeing - that after a user is logged in, then uses Logout, the next Login results in a “Continue” rather than a chance to log in as a different user?

#9

We do not store any credentials, just call Facebook SDK calls. I do not understand why do you see an issue here, user is logged out of the application, but it is possible that login remains in browser or something like that…

#10

Vlad, the problem is that the user is not really logged out - his credentials remain in place, and all he or anyone else has to do is tap Continue. There is no way to allow a different account to be used.

When testing this on a device, as noted in my original post, I made sure the official Facebook app was not installed, and Facebook was not logged in Safari.

It appears the Access Token is actually being cached and reused, even after the Logout call. Besides being annoying, it is also a potential security risk, and goes against Facebook policy, as I linked above.

How do I log out a Facebook user and allow a different Facebook account to be used?

#11

Rob and Vlad, I’ll ask again: How do I log out a Facebook user and allow a different Facebook account to be used?

#12

Have you submitted a bug report on this?

#13

Rob, no I have not. I wasn’t clear from your and Vlad’s responses whether you considered this a bug, so I wanted to know if there is, in fact, some way to use a different Facebook account or not.

#14

This feels like a bug to me.  Can you submit a bug report?  You can probably use our sample app as the demo code, just make sure in the description what observations you’re seeing and what your expectations are. You can use the report a bug link at the top of this page.

Rob

#15

Submitted Ticket 11987134

#16

Thanks!  We have an engineer tasked to the FB plugin, so having this bug report will be helpful.

Rob

#17

Hello! After long investigation, we confirmed multiple times this is not an issue. If you want to deauthorize your app, you can do:

facebook.request("me/permissions", "DELETE") -- very optional, and not recommended, only to test permission requests! facebook.logout()

Then, start Safari, go to facebook.com, press ☰ in top right, select logout.

If you have facebook app installed, logout there too.

If you have iOS with signed in Facebook account, select Options -> Accounts -> Facebook and logout (this is only for old iOS)

After this, attempt to login would prompt for password.

NOTE: Corona facebook plugins do not store any tokens or login information. Behaviour you’re seeing is intended by Facebook and not only default for facebook iOS SDK, but can not be changed.

Thank you.

#18

Anyone?

Rob?

#19

I thought we had fixed it or at least had it assigned to someone.  I’ve asked Engineering for an update.

Rob

#20

Rob, any update?

This seems like a pretty big deal, not to mention potential security risk, when the newest version of the Facebook plugin is unable to completely logout the user.

Facebook Platform Policy requires that developers Provide a “Log Out” option that functions properly and is easy to find.:

https://developers.facebook.com/policy/#login

They reiterate this in their Best Practices:  https://developers.facebook.com/docs/facebook-login/best-practices#loggingout

Once people are logged in, you should also give them a way to log out, disconnect their account, or delete it all together. In addition to being a courtesy, this is also a requirement of our Facebook Platform Policy.