January 12, 2012

Not able to logout in your Facebook Connect applications? Facebook recently pushed a change in the past day or so such that the domain= parameter is now added to your fbsr_ cookies. If you find that your cookies are not being removed after a user attemps to logout, chances are you're experiencing the repercussions of these recent changes.

In the timestamped version (1326413659,169943147), there is a section that was added to the Facebook Connect Library:

2340 2348 }
2341 2349 return b;
2342 2350 },
  2351 loadMeta: function() {
  2352 var a = document.cookie.match('\\bfbm_' + FB._apiKey + '="([^;]*)\\b'),
  2353 b;
  2354 if (a) {
  2355 b = FB.QS.decode(a[1]);
  2356 if (!FB.Cookie._domain) FB.Cookie._domain = b.base_domain;
  2357 }
  2358 return b;
  2359 },
2343 2360 loadSignedRequest: function() {
2344 2361 var a = document.cookie.match('\\bfbsr_' + FB._apiKey + '=([^;]*)\\b');
2345 2362 if (!a) return null;
The regexp apparently fails to match because there is an extra quotation mark. Instead of:
var a = document.cookie.match('\\bfbm_' + FB._apiKey + '="([^;]*)\\b'), b;
It should be:
var a = document.cookie.match('\\bfbm_' + FB._apiKey + '=([^;]*)\\b'), b;
If you inspect document.cookie in a JavaScript console, you'll see no sign of how this regexp could match (i.e. the regexp would match fbm_1234="abcde" but not fm_1234=abcde). You can also use the Chrome/Safari Web Inspector, put breakpoints on this function, and use the deminifier feature (look for the {} icon at the bottom) to double-check.

Background info: Before the OAuth2 migration, the fbs_ cookie was used. Included in the fbs_cookie was a query string that needed to be decoded and the base_domain parameter used for the domain= cookie parameter.(For more background about how to set or delete cookies in JavaScript, see: http://www.quirksmode.org/js/cookies.html.)

Cookies be cleared by setting the expiration date to 01/01/1970 GMT. However, most browsers won't know how to delete the cookie unless the path= and domain= parameters are set correctly too. In other words, if you had a cookie named fbsr_1234, with domain=abc.com, the browser would not be ale to delete it unless you also specified this parameter.

Until now, OAuth2 didn't include the domain= parameter in fbsr_ cookies. But with today's recent push, it is now being used. The result? If you had an old cookie without this domain= parameter and attempted to logout with this new JavaScript code, you might find that you're unable to clear them. You may also encounter strange logout issues in general and not see the fbsr_ cookie cleared correctly.

Facebook will most likely fix this issue soon, though in the interim your users may not be able to logout of your app. One thing we've done is to use a server-side code to instruct the browser to clear the cookie, though it may not always work unless your page invokes FB.init() properly and receives back a cross-domain request from Facebook to set the domain= properly. You can examine this code for how you can delete cookies from the server-side:

blog comments powered by Disqus