0

I am implementing the Facebook Login widget inside my ASP.NET 4.5 C# web application. When I clicked the login button I eventually get the accessToken. My question is regarding making the user persistant in my application.

There is data that is associated with the specific facebook user. when the user log off and log in back (assuming that the cookie might be deleted), I want to be able to recognize him again to display the relevant information.

I know that I need to use the database, but what is the best practice to do so. Should I use the user ID or email address as a unique user identification string?

I am using MySQL as the backend.

Liron Harel
  • 10,819
  • 26
  • 118
  • 217
  • You have to choose between userID or email address? Choose always userID, because it won't change never, but his email will probably do (may be not now, but in a future could be). Sorry for my bad english! – GianlucaBobbio Aug 15 '13 at 15:19

1 Answers1

1

I have been working on a similar application which uses either Facebook (OAuth), Google (OpenId) or a manual registration login approach.

My prefered solution was to ask the user for their email address, you will need to request extended permissions on the email field from Facebook as it is not offered up by default.

http://developers.facebook.com/docs/authentication/permissions

My table structure looks like this.

User
  Id (int)    
  Email (nvarchar(256))
  FacebookToken (nvarchar(256))
  GoogleToken (nvarchar(256))

The advantage to this method is you are able to link up your users to the right account if you decide later to add another authentication / identification service or roll your own. It won;t matter if they login to FB, Google or Twitter - you always know whcih account to attach them to.

It is also useful to have an email address for each of your users regardless.

Regards

Steve

CountZero
  • 6,171
  • 3
  • 46
  • 59
  • but what is the unique identifier that the user is recognized with. If its the FacebookToken, this can be changed and its not static, and the email can change too. So how can I persist a user in the db if the email or FacebookToken are volatile? – Liron Harel Aug 15 '13 at 15:31
  • 1
    The FacebookToken (OAuth) will never change, neither will their token from Google (OpenId). However email addresses may change. – CountZero Aug 15 '13 at 16:17
  • Amend - Both Facebook will give you a token which will change and an id which will not (http://stackoverflow.com/questions/6051223/oauth-2-is-access-token-a-unique-key-for-user). Yes the email address may change but once I have associated a facebook / google id with an account I no onger need to use the email address. Take a look here - this is how to get a Facebook user id through graph API. http://stackoverflow.com/questions/3546677/how-to-get-the-facebook-user-id-using-the-access-token – CountZero Aug 15 '13 at 16:30
  • 1
    Cheers Idan, pls do check my amend. Token will change but you can get an id from facebook which will not. – CountZero Aug 15 '13 at 16:38