Facebook Infinite Session Keys Are NOT Dead!
As the title suggests, Facebook claims to have done away with infinite session keys for some time now. What most of the wiki-based documentation doesn’t tell you, though, is that they’re still around, but under a different name, and they’re not acquired in the same way. It’s now a rather convoluted process, but here’s what you have to do:
- Type the following URL into a browser window, replacing YOUR_API_KEY with your Facebook app’s API key:
www.facebook.com/login.php?api_key=YOUR_API_KEY
- If you’re not logged in, you’ll be prompted to do so, and you’ll then be redirected to the URL that you set as your default Canvas page. Note that appended to the redirected URL you will now have an auth_token parameter, but that’s not what we’re after.
- To get the infinite session key, you now have to go to the following URL, again replacing YOUR_API_KEY with your Facebook app’s API key:
http://www.facebook.com/code_gen.php?v=1.0&api_key=YOUR_API_KEY
- This time around, you’ll land on a Facebook page, prompting you to generate a special code. Click ‘Generate’, and you’ll now get your special one-time code, which will be used to generate the infinite session key.
- Using the PHP library provided by Facebook, you need to call auth_getSession() in a temporary PHP file, which I called test.php. Be sure to set the $facebook_api_key and $facebook_api_secret variables to the ones corresponding to your app, and $auth_token should be 5 character value that you got back from Facebook in the previous step. You’ll also need to include the Facebook PHP Library before the following code, of course!
$facebook = new Facebook($facebook_api_key, $facebook_api_secret);
$infinite_key_array = $facebook->api_client->auth_getSession($auth_token);
print_r($infinite_key_array);
- Load this test file in your browser, and you’ll see an array printed out, with the first item labeled ’session_key’, which you guessed it, is your infinite session key. Finally! Note that the ‘expires’ field is set to ‘0′, confirming that it really is an infinite key.
- Now for the last tricky part.. how to actually use this infinite session key. Whenever you initiate a new Facebook object, just tack on the following code right after. Note that I keep the infinite session key in a variable in a data file, so that way if it ever changes, I can change it in one place and have it work everywhere else. The $facebook_userid is simply your Facebook userid, mine is 626200190.
$facebook->api_client->user = $facebook_userid;
$facebook->api_client->session_key = $facebook_infinite_session_key;
$facebook->api_client->expires = 0;
With the above code, you can now run cron jobs to update users’ FBML pages, post events through the API, and more. For the latter, be sure you also visit this page to grant yourself the required extended permissions.
If you have any questions, don’t hesitate to contact me, or leave a comment.
thanks for this — it is quite frustrating how much facebook seems to change their API without documenting it…
First off, thanks for implementing Facebook Connect here!
I just want to say that we went to great lengths to communicate the change to infinite sessions.
Check out these blog posts:
http://developers.facebook.com/news.php?blog=1&story=116
http://developers.facebook.com/news.php?blog=1&story=130
http://developers.facebook.com/news.php?blog=1&story=132
http://developers.facebook.com/news.php?blog=1&story=135
The initial doc for it (mentioned in those posts):
http://wiki.developers.facebook.com/index.php/New_Design_Platform_Changes#Changes_to_Session_Keys
A FAQ about changes to authentication:
http://wiki.developers.facebook.com/index.php/New_Design_User_Login
http://wiki.developers.facebook.com/index.php/Authorizing_Applications
Even got a shout out on the Platform Status Feed:
http://www.facebook.com/developers/message.php#msg_270
Perhaps you should subscribe to the Developer blog RSS feed, where our major news is announced:
http://developers.facebook.com/news.php?blog=1&format=xml
And to the Platform Status Feed, where we make short, yet important announcements:
http://www.facebook.com/feeds/api_messages.php
The easy way to get an “infinite session” is to prompt your users for offline access, as described here (and again, announced in those blog posts):
http://wiki.developers.facebook.com/index.php/Extended_permissions
Thank you so very, very much for solving this for us - and to the above comment - yes - but it really seems that you should make a clearer - step-by-step way of doing things. The entire dev wiki has become overcrowded - i have to click core components and API just to find the api documentation — mediawiki is nice - but its VERY cluttered. I suggest fixing asap.
Dear Pete,
I’m sure that its hard to keep all this stuff clear for everyone and I appreciate your links, but I am not a FT Facebook developer — just trying to figure out how to do a few things for an app — so I don’t have the ability to sift through the email updates or blog posts. But here is a perfect example of where the documentation is incomplete:
Searching for “infinite session” in the wiki brings up these pages as the top two results:
http://wiki.developers.facebook.com/index.php/Changing_profile_content
http://wiki.developers.facebook.com/index.php/Random_questions#Infinite_Sessions
On both of these pages the link to learn more about infinite sessions goes to non-existent pages. So, for what its worth, when you do the blog updates don’t forget to update the wiki :-)
Just to let you know even this seems to expire after 24 hours =/
Hi Kevin,
Thanks for the feedback — I’ve been using this very session key for several weeks now, it’s never expired. Did you follow the how-to to the letter? What was the value of ‘expires’ when you printed out the returned array?
Great article, thank you!
A nice, clear article and follows the process that I use myself for creating infinite session keys within my desktop app (wish I’d had something like this available a few months back when I started writing it).
With regards to the approach suggested by Pete B and making use of the permissions url for offline access (www.facebook.com/authorize.php) I too have run into problems with the “infinite” key being reset after 24 hours (was over a weekend), even with the “expires” value being returned as 0 in the original getSession call.
Thanks again
PeteH
Hello, I am Ian Kennedy from RedWolf Security Inc. I wish to use the Facebook API to post notes to a user’s account. My application has the offline_status, status_update, and create_note extended permissions, as well as an infinite session key, obtained as described in this article. I find that the notes.create and notes.get methods work, but not the notes.delete (I get a 1600 error, “The user does not have permission to modify this note”). I use curl to post requests directly to the REST server. What could be the trouble here? Thanks in advance.
Just to add something more to this.
I’ve changed our implementation to now make use of Facebook Connect and our application to be a web app rather than a desktop one. The session key that’s now in use (provided the permission for offline access has been granted) does appear to be infinite at the present time.
For anyone curious as to how to accomplish Step 5 using Ruby on Rails and Facebooker, this worked for me:
- Make sure Facebooker is set up correctly with your API key and secret
- run script/console
- >> f = Facebooker::Session.create
- >> f.post “facebook.auth.getSession”, :auth_token => “YOURTOKENHERE”
The returned hash will contain your precious infinite session key.
Hope this helps someone!
I was able to get the infinite session key with both methods, as described in the post and as described in Bratach’s comment.
Obviously Bratach’s way is better because you don’t need to ask the user to copy any special string, it’s automatic…
The only doubt to me until now is how much time will these 2 session keys remains valid.
I’ll be back after one day or two with feedback.
Thanks for the article.
Hi! I’m back to tell you that both methods work fine.
After more than 24 hours both infinite keys work as described. Let’s see after 1 week…
If this situation persist then I’ll definitely prefer Bratach’s suggested method. It’s quicker and with less user intervention.
In case that something relevant happens I’ll comment again.
Thanks.
Thanks! I agree that this stuff is really hard to find on the Facebook developer site if it’s there at all, so it’s great to see it so clearly presented here.
hi,
first of all i want to say thanks for this valuable help.
but i got problem while fetching the fb status and other information of fb user while using infinite session key.
it was throwing exception as follows :
exception ‘FacebookRestClientException’ with message ‘Session key invalid or no longer valid’ in /facebook-platform/php/facebookapi_php5_restlib.php:2708 Stack trace: #0
pls give me the solution to solve this problem.
inform me if u want to see my code but its following all above instructions.
thanks in advance
FYI, this works so far for the newest facebook API. Yes, you can use facebook connect and open sessions to do the same thing but that is just a bit more complicated, especially when your app may not be a multi-user type app. This is especially handy for quick cron jobs on php files to update FBML on apps. Thanks Emmanuel!
give me the sample code to create session in C# asp.net
Session key invalid or no longer valid in ruby on rails
coś nie działa
after doing all what you told I wrote the following code:
$facebook = new Facebook($api_key, $api_secret);
$facebook_userid = ”;
$facebook_infinite_session_key = ”;
$facebook->api_client->user = $facebook_userid;
$facebook->api_client->session_key = $facebook_infinite_session_key;
$facebook->api_client->expires = 0;
$message = ‘MY MESSAGE’;
$attachment = array(
‘name’ => ‘TITLE’,
‘href’ => ”, ‘caption’ => $message, ‘description’ => ”);
$attachment = json_encode($attachment);
$a1 = $facebook->api_client->stream_publish($message, $attachment, ”, ”, ”);
print_r($a1);
after running this code I get the following array:
Array
(
[error_code] => 200
[error_msg] => Permissions error
[request_args] => Array
(
[0] => Array
(
[key] => method
[value] => facebook.stream.publish
)
[1] => Array
(
[key] => session_key
[value] =>
)
[2] => Array
(
[key] => api_key
[value] =>
)
[3] => Array
(
[key] => v
[value] => 1.0
)
[4] => Array
(
[key] => message
[value] =>
)
[5] => Array
(
[key] => attachment
[value] => {”name”:”new stories”,”href”:null,”caption”:null,”description”:null}
)
[6] => Array
(
[key] => action_links
[value] =>
)
[7] => Array
(
[key] => target_id
[value] =>
)
[8] => Array
(
[key] => uid
[value] =>
)
[9] => Array
(
[key] => call_id
[value] =>
)
[10] => Array
(
[key] => sig
[value] =>
)
)
[message] => Unknown exception
[code] => 0
)
plz help to resolve this
after doing all what you told I wrote the following code:
$facebook = new Facebook($api_key, $api_secret);
$facebook_userid = ‘USER_ID’;
$facebook_infinite_session_key = ‘SESSION_KEY’;
$facebook->api_client->user = $facebook_userid;
$facebook->api_client->session_key = $facebook_infinite_session_key;
$facebook->api_client->expires = 0;
$message = ‘MY MESSAGE’;
$attachment = array(
‘name’ => ‘TITLE’,
‘href’ => ‘LINK’, ‘caption’ => $message, ‘description’ => ‘LINK’);
$attachment = json_encode($attachment);
$a1 = $facebook->api_client->stream_publish($message, $attachment, ”, ‘PAGE_ID’, ‘PAGE_ID’);
print_r($a1);
after running this code I get the following array:
Array
(
[error_code] => 200
[error_msg] => Permissions error
[request_args] => Array
(
[0] => Array
(
[key] => method
[value] => facebook.stream.publish
)
[1] => Array
(
[key] => session_key
[value] => SESSION_KEY
)
[2] => Array
(
[key] => api_key
[value] => API_KEY
)
[3] => Array
(
[key] => v
[value] => 1.0
)
[4] => Array
(
[key] => message
[value] =>
)
[5] => Array
(
[key] => attachment
[value] => {”name”:”new stories”,”href”:null,”caption”:null,”description”:null}
)
[6] => Array
(
[key] => action_links
[value] =>
)
[7] => Array
(
[key] => target_id
[value] => PAGE_ID
)
[8] => Array
(
[key] => uid
[value] => PAGE_ID
)
[9] => Array
(
[key] => call_id
[value] => CALL_ID
)
[10] => Array
(
[key] => sig
[value] => MY_SIGNATURE
)
)
[message] => Unknown exception
[code] => 0
)
plz help to resolve this
Holy balls dude. You are a god among men.
This was VERY useful to me…
What a great solution !!!
Than you very much !!
That’s what i need !!
ángel.
Hey just a quick note - if you change your password it kills the session (‘Session key invalid or no longer valid) and you have to regenerate the auth_token
Some great infomation here keep up the good work. I cannot really leave a more constructive comment as i
hello, after 5th point:
$facebook = new Facebook($facebook_api_key, $facebook_api_secret);
$infinite_key_array = $facebook->api_client->auth_getSession($auth_token);
print_r($infinite_key_array);
I’ve got following error:
Fatal error: Uncaught exception ‘FacebookRestClientException’ with message ‘Invalid parameter’ in /srv/www/dyne.allstar.cz/easyfacetv/facebookapi_php5_restlib.php:3374 Stack trace: #0 /srv/www/dyne.allstar.cz/easyfacetv/facebookapi_php5_restlib.php(315): FacebookRestClient->call_method(’facebook.auth.g…’, Array) #1 /srv/www/dyne.allstar.cz/easyfacetv/infinite.php(14): FacebookRestClient->auth_getSession(’0I1DST’) #2 {main} thrown in /srv/www/dyne.allstar.cz/easyfacetv/facebookapi_php5_restlib.php on line 3374
I’m following your manual, but there’s some bug or something, please help me.
Thanx
I used this technique previously and successfully, but I’m now getting the same error as Jiří Bendl.