Facebook Infinite Session Keys Are NOT Dead!

As the title suggests, Facebook claims to have done away with infinite session keys for some time now. What most of the wiki-based documentation doesn’t tell you, though, is that they’re still around, but under a different name, and they’re not acquired in the same way. It’s now a rather convoluted process, but here’s what you have to do:

  1. Type the following URL into a browser window, replacing YOUR_API_KEY with your Facebook app’s API key:

    www.facebook.com/login.php?api_key=YOUR_API_KEY

  2. If you’re not logged in, you’ll be prompted to do so, and you’ll then be redirected to the URL that you set as your default Canvas page. Note that appended to the redirected URL you will now have an auth_token parameter, but that’s not what we’re after.
  3. To get the infinite session key, you now have to go to the following URL, again replacing YOUR_API_KEY with your Facebook app’s API key:

    http://www.facebook.com/code_gen.php?v=1.0&api_key=YOUR_API_KEY

  4. This time around, you’ll land on a Facebook page, prompting you to generate a special code. Click ‘Generate’, and you’ll now get your special one-time code, which will be used to generate the infinite session key.
  5. Using the PHP library provided by Facebook, you need to call auth_getSession() in a temporary PHP file, which I called test.php. Be sure to set the $facebook_api_key and $facebook_api_secret variables to the ones corresponding to your app, and $auth_token should be 5 character value that you got back from Facebook in the previous step. You’ll also need to include the Facebook PHP Library before the following code, of course!

    $facebook = new Facebook($facebook_api_key, $facebook_api_secret);

    $infinite_key_array = $facebook->api_client->auth_getSession($auth_token);

    print_r($infinite_key_array);

  6. Load this test file in your browser, and you’ll see an array printed out, with the first item labeled ‘session_key’, which you guessed it, is your infinite session key. Finally! Note that the ‘expires’ field is set to ‘0’, confirming that it really is an infinite key.
  7. Now for the last tricky part.. how to actually use this infinite session key. Whenever you initiate a new Facebook object, just tack on the following code right after. Note that I keep the infinite session key in a variable in a data file, so that way if it ever changes, I can change it in one place and have it work everywhere else. The $facebook_userid is simply your Facebook userid, mine is 626200190.

    $facebook->api_client->user = $facebook_userid;

    $facebook->api_client->session_key = $facebook_infinite_session_key;

    $facebook->api_client->expires = 0;

With the above code, you can now run cron jobs to update users’ FBML pages, post events through the API, and more. For the latter, be sure you also visit this page to grant yourself the required extended permissions.

If you have any questions, don’t hesitate to contact me, or leave a comment.

Posted: January 18, 2009

Comments

  1. 2009.01.29 @ 9:27 brian

    thanks for this — it is quite frustrating how much facebook seems to change their API without documenting it…

  2. 2009.01.29 @ 14:08 Pete Bratach

    First off, thanks for implementing Facebook Connect here!

    I just want to say that we went to great lengths to communicate the change to infinite sessions.

    Check out these blog posts:
    http://developers.facebook.com/news.php?blog=1&story=116
    http://developers.facebook.com/news.php?blog=1&story=130
    http://developers.facebook.com/news.php?blog=1&story=132
    http://developers.facebook.com/news.php?blog=1&story=135

    The initial doc for it (mentioned in those posts):
    http://wiki.developers.facebook.com/index.php/New_Design_Platform_Changes#Changes_to_Session_Keys

    A FAQ about changes to authentication:
    http://wiki.developers.facebook.com/index.php/New_Design_User_Login
    http://wiki.developers.facebook.com/index.php/Authorizing_Applications

    Even got a shout out on the Platform Status Feed:
    http://www.facebook.com/developers/message.php#msg_270

    Perhaps you should subscribe to the Developer blog RSS feed, where our major news is announced:
    http://developers.facebook.com/news.php?blog=1&format=xml

    And to the Platform Status Feed, where we make short, yet important announcements:
    http://www.facebook.com/feeds/api_messages.php

    The easy way to get an “infinite session” is to prompt your users for offline access, as described here (and again, announced in those blog posts):
    http://wiki.developers.facebook.com/index.php/Extended_permissions

  3. 2009.02.02 @ 20:11 William Evan Kasel

    Thank you so very, very much for solving this for us – and to the above comment – yes – but it really seems that you should make a clearer – step-by-step way of doing things. The entire dev wiki has become overcrowded – i have to click core components and API just to find the api documentation — mediawiki is nice – but its VERY cluttered. I suggest fixing asap.

  4. 2009.02.03 @ 6:46 brian

    Dear Pete,

    I’m sure that its hard to keep all this stuff clear for everyone and I appreciate your links, but I am not a FT Facebook developer — just trying to figure out how to do a few things for an app — so I don’t have the ability to sift through the email updates or blog posts. But here is a perfect example of where the documentation is incomplete:

    Searching for “infinite session” in the wiki brings up these pages as the top two results:

    http://wiki.developers.facebook.com/index.php/Changing_profile_content

    http://wiki.developers.facebook.com/index.php/Random_questions#Infinite_Sessions

    On both of these pages the link to learn more about infinite sessions goes to non-existent pages. So, for what its worth, when you do the blog updates don’t forget to update the wiki :-)

  5. 2009.02.15 @ 7:55 Kevin

    Just to let you know even this seems to expire after 24 hours =/

  6. 2009.02.19 @ 0:57 Emmanuel Crouvisier

    Hi Kevin,

    Thanks for the feedback — I’ve been using this very session key for several weeks now, it’s never expired. Did you follow the how-to to the letter? What was the value of ‘expires’ when you printed out the returned array?

  7. 2009.02.19 @ 14:08 Manu

    Great article, thank you!

  8. 2009.03.02 @ 11:25 Pete Halloran

    A nice, clear article and follows the process that I use myself for creating infinite session keys within my desktop app (wish I’d had something like this available a few months back when I started writing it).

    With regards to the approach suggested by Pete B and making use of the permissions url for offline access (www.facebook.com/authorize.php) I too have run into problems with the “infinite” key being reset after 24 hours (was over a weekend), even with the “expires” value being returned as 0 in the original getSession call.

    Thanks again

    PeteH

  9. 2009.03.04 @ 15:05 Ian Kennedy

    Hello, I am Ian Kennedy from RedWolf Security Inc. I wish to use the Facebook API to post notes to a user’s account. My application has the offline_status, status_update, and create_note extended permissions, as well as an infinite session key, obtained as described in this article. I find that the notes.create and notes.get methods work, but not the notes.delete (I get a 1600 error, “The user does not have permission to modify this note”). I use curl to post requests directly to the REST server. What could be the trouble here? Thanks in advance.

  10. 2009.04.02 @ 11:03 Pete Halloran

    Just to add something more to this.

    I’ve changed our implementation to now make use of Facebook Connect and our application to be a web app rather than a desktop one. The session key that’s now in use (provided the permission for offline access has been granted) does appear to be infinite at the present time.

  11. 2009.04.27 @ 11:17 Justin Streufert

    For anyone curious as to how to accomplish Step 5 using Ruby on Rails and Facebooker, this worked for me:

    – Make sure Facebooker is set up correctly with your API key and secret
    – run script/console
    – >> f = Facebooker::Session.create
    – >> f.post “facebook.auth.getSession”, :auth_token => “YOURTOKENHERE”

    The returned hash will contain your precious infinite session key.
    Hope this helps someone!

  12. 2009.05.14 @ 1:56 Beto Aveiga

    I was able to get the infinite session key with both methods, as described in the post and as described in Bratach’s comment.

    Obviously Bratach’s way is better because you don’t need to ask the user to copy any special string, it’s automatic…

    The only doubt to me until now is how much time will these 2 session keys remains valid.

    I’ll be back after one day or two with feedback.

    Thanks for the article.

  13. 2009.05.15 @ 0:39 Beto Aveiga

    Hi! I’m back to tell you that both methods work fine.

    After more than 24 hours both infinite keys work as described. Let’s see after 1 week…

    If this situation persist then I’ll definitely prefer Bratach’s suggested method. It’s quicker and with less user intervention.

    In case that something relevant happens I’ll comment again.

    Thanks.

  14. 2009.07.17 @ 3:49 Trevor Powell

    Thanks! I agree that this stuff is really hard to find on the Facebook developer site if it’s there at all, so it’s great to see it so clearly presented here.

  15. 2009.08.13 @ 6:20 Jolon Travolta

    hi,
    first of all i want to say thanks for this valuable help.
    but i got problem while fetching the fb status and other information of fb user while using infinite session key.
    it was throwing exception as follows :
    exception ‘FacebookRestClientException’ with message ‘Session key invalid or no longer valid’ in /facebook-platform/php/facebookapi_php5_restlib.php:2708 Stack trace: #0

    pls give me the solution to solve this problem.
    inform me if u want to see my code but its following all above instructions.

    thanks in advance

  16. 2009.09.14 @ 14:51 andres

    FYI, this works so far for the newest facebook API. Yes, you can use facebook connect and open sessions to do the same thing but that is just a bit more complicated, especially when your app may not be a multi-user type app. This is especially handy for quick cron jobs on php files to update FBML on apps. Thanks Emmanuel!

  17. 2009.10.21 @ 1:47 Harsha Ns

    give me the sample code to create session in C# asp.net

  18. 2009.12.01 @ 7:26 Ratnam Raj

    Session key invalid or no longer valid in ruby on rails

  19. 2009.12.02 @ 9:14 Piotr Krajewski

    coś nie działa

  20. 2009.12.07 @ 23:22 Gagan Sharma

    after doing all what you told I wrote the following code:

    $facebook = new Facebook($api_key, $api_secret);
    $facebook_userid = ”;
    $facebook_infinite_session_key = ”;
    $facebook->api_client->user = $facebook_userid;

    $facebook->api_client->session_key = $facebook_infinite_session_key;

    $facebook->api_client->expires = 0;

    $message = ‘MY MESSAGE';
    $attachment = array(
    ‘name’ => ‘TITLE’,
    ‘href’ => ”, ‘caption’ => $message, ‘description’ => ”);

    $attachment = json_encode($attachment);

    $a1 = $facebook->api_client->stream_publish($message, $attachment, ”, ”, ”);
    print_r($a1);

    after running this code I get the following array:

    Array
    (
    [error_code] => 200
    [error_msg] => Permissions error
    [request_args] => Array
    (
    [0] => Array
    (
    [key] => method
    [value] => facebook.stream.publish
    )

    [1] => Array
    (
    [key] => session_key
    [value] =>
    )

    [2] => Array
    (
    [key] => api_key
    [value] =>
    )

    [3] => Array
    (
    [key] => v
    [value] => 1.0
    )

    [4] => Array
    (
    [key] => message
    [value] =>
    )

    [5] => Array
    (
    [key] => attachment
    [value] => {“name”:”new stories”,”href”:null,”caption”:null,”description”:null}
    )

    [6] => Array
    (
    [key] => action_links
    [value] =>
    )

    [7] => Array
    (
    [key] => target_id
    [value] =>
    )

    [8] => Array
    (
    [key] => uid
    [value] =>
    )

    [9] => Array
    (
    [key] => call_id
    [value] =>
    )

    [10] => Array
    (
    [key] => sig
    [value] =>
    )

    )

    [message] => Unknown exception
    [code] => 0
    )

    plz help to resolve this

  21. 2009.12.07 @ 23:25 Gagan Sharma

    after doing all what you told I wrote the following code:

    $facebook = new Facebook($api_key, $api_secret);
    $facebook_userid = ‘USER_ID';
    $facebook_infinite_session_key = ‘SESSION_KEY';
    $facebook->api_client->user = $facebook_userid;

    $facebook->api_client->session_key = $facebook_infinite_session_key;

    $facebook->api_client->expires = 0;

    $message = ‘MY MESSAGE';
    $attachment = array(
    ‘name’ => ‘TITLE’,
    ‘href’ => ‘LINK’, ‘caption’ => $message, ‘description’ => ‘LINK’);

    $attachment = json_encode($attachment);

    $a1 = $facebook->api_client->stream_publish($message, $attachment, ”, ‘PAGE_ID’, ‘PAGE_ID’);
    print_r($a1);

    after running this code I get the following array:

    Array
    (
    [error_code] => 200
    [error_msg] => Permissions error
    [request_args] => Array
    (
    [0] => Array
    (
    [key] => method
    [value] => facebook.stream.publish
    )

    [1] => Array
    (
    [key] => session_key
    [value] => SESSION_KEY
    )

    [2] => Array
    (
    [key] => api_key
    [value] => API_KEY
    )

    [3] => Array
    (
    [key] => v
    [value] => 1.0
    )

    [4] => Array
    (
    [key] => message
    [value] =>
    )

    [5] => Array
    (
    [key] => attachment
    [value] => {“name”:”new stories”,”href”:null,”caption”:null,”description”:null}
    )

    [6] => Array
    (
    [key] => action_links
    [value] =>
    )

    [7] => Array
    (
    [key] => target_id
    [value] => PAGE_ID
    )

    [8] => Array
    (
    [key] => uid
    [value] => PAGE_ID
    )

    [9] => Array
    (
    [key] => call_id
    [value] => CALL_ID
    )

    [10] => Array
    (
    [key] => sig
    [value] => MY_SIGNATURE
    )

    )

    [message] => Unknown exception
    [code] => 0
    )

    plz help to resolve this

  22. 2009.12.12 @ 20:40 Max Morgan

    Holy balls dude. You are a god among men.

    This was VERY useful to me…

  23. 2010.01.21 @ 7:18 Ángel

    What a great solution !!!

    Than you very much !!

    That’s what i need !!

    ángel.

  24. 2010.01.22 @ 8:29 Sonic

    Hey just a quick note – if you change your password it kills the session (‘Session key invalid or no longer valid) and you have to regenerate the auth_token

  25. 2010.03.03 @ 9:48 Jiří Bendl

    hello, after 5th point:

    $facebook = new Facebook($facebook_api_key, $facebook_api_secret);
    $infinite_key_array = $facebook->api_client->auth_getSession($auth_token);
    print_r($infinite_key_array);

    I’ve got following error:

    Fatal error: Uncaught exception ‘FacebookRestClientException’ with message ‘Invalid parameter’ in /srv/www/dyne.allstar.cz/easyfacetv/facebookapi_php5_restlib.php:3374 Stack trace: #0 /srv/www/dyne.allstar.cz/easyfacetv/facebookapi_php5_restlib.php(315): FacebookRestClient->call_method(‘facebook.auth.g…’, Array) #1 /srv/www/dyne.allstar.cz/easyfacetv/infinite.php(14): FacebookRestClient->auth_getSession(‘0I1DST’) #2 {main} thrown in /srv/www/dyne.allstar.cz/easyfacetv/facebookapi_php5_restlib.php on line 3374

    I’m following your manual, but there’s some bug or something, please help me.
    Thanx

  26. 2010.03.04 @ 11:03 Jim Dempsey

    I used this technique previously and successfully, but I’m now getting the same error as Jiří Bendl.

  27. 2010.03.14 @ 5:11 Silvia Ayesha

    hey thanks for the nice tutorial!! but how do I extract the code from the user? please explain…

    Thanks in advance.
    Ayesha

  28. 2010.03.14 @ 15:29 Phil

    Silvia Ayesha,

    You get the code from the user in $_GET['fb_sig_session_key']
    and you get that after u ask the user for

    Now that said, this method worked for me once and I was able to run app as cron job but it stopped working. What’s up with that?
    Phil

  29. 2010.03.22 @ 10:07 Martin Hermosilla

    O I did verything. and have no errors, but. also have no wall publish… :(

    try {
    $a = $facebook->api_client->stream_publish($message,null,null, $pageid);
    print_r($a);
    echo “”;
    } catch( Exception $o ) {
    print_r($o);
    }

    when i execute my php file I get a number: {$pageid}_{other_number}

    whatm am I doing wrong?

  30. 2010.03.22 @ 10:16 Martin Hermosilla

    Got It!!! It was missing the target_id=null
    $a = $facebook->api_client->stream_publish($message,null, null, null, $pageid);
    print_r($a);

  31. 2010.03.29 @ 5:49 Tommy KE

    Getting the same than Jiří Bendl. It worked once, then go the error message

  32. 2010.04.10 @ 22:33 Sandy

    How can we tap into user’s reviews on company’s fan pages (any company that has reviews) in a simple and straightforward manner using API or some other means. Do we need company’s authorization to tap into their data? There are whole bunch of company’s that are able to pull in facebook data, how are they able to do it?

  33. 2010.04.14 @ 18:06 Alan

    Thanks a lot for this. I spent 15+ hours on this problem without having a solution. Great job!

  34. 2010.04.19 @ 9:50 Óscar Palacios

    Ok, so how can I programmatically obtain that permanent session key? I’m building an app, and I can’t have my users do all that stuff which is easy for me, but which will be intolerably complicated for my users? I still haven’t found out how to do this. Pete Bratach, some suggestions you make relate to methods which are marked as deprecated.

  35. 2010.04.20 @ 10:15 Jim Kloss

    Well done. Thank you. Still works as of 4/20/2010.

    FWIW, in 34 years of deep systems programming, some being under the covers of extremely complicated and security-conscious cludgy IBM code, I have *never* seen such a wormball of code insanity like the FB signon API. It’s a signon for gawd’s sake, not a nuclear bomb red button check. Somebody needs to rewrite their exploda-code…

  36. 2010.05.30 @ 11:51 Jani Nikula

    //Those who are dealing with that problem:

    //Fatal error: Uncaught exception ‘FacebookRestClientException’ with message ‘Invalid parameter’

    $infinite_key_array = $facebook->api_client->auth_getSession(‘YOUR_GENERATED_KEY’);

    //print_r($infinite_key_array);

    $session_key = $infinite_key_array["session_key"];
    //that your real session key hashed by facebook, take it and store it!
    //you can take and hash it just once, next time errors will show again
    //with that session key your able login so many times you want without errors

    //fill this script and use it to login
    $facebook->api_client->user = USER_ID;
    $facebook->api_client->session_key = “SESSION_KEY”;
    $facebook->api_client->expires = 0;

  37. 2010.06.15 @ 9:10 Saranraj Chinnamuniyappan

    Hi to all,
    I want to get the facebook session key dynamically for every user. Actually no of user ll login in my application , in that time want to get users session key for his/her offline access…. by using this url http://m.facebook.com/authorize.php?api_key=YOUR_API_KEY&v=1.0&ext_perm=offline_access we can get by manually…. I need to get by dynamic.. Please any on ecan help me??
    hurry up….

    regards
    saran
    http://careerjobz.com

  38. 2010.07.24 @ 15:27 Topsg Seo

    nice informative post, I hope it will be useful for many users, thanks
    worcester gas boilers

  39. 2010.12.01 @ 0:56 Prepress Service

    I wanted to thank you for this excellent read!! I definitely loved every little bit of it.Cheers for the info!!!! & This is the perfect blog for anyone who wants to know about this topic. You know so much its almost hard to argue with you ………
    thanks

    Prepress Service

  40. 2010.12.09 @ 17:23 Jayl Wong

    after you obtain the “special code”, log in to your facebook account, then click here to generate the un-expire SessionKey

    http://developers.facebook.com/docs/reference/rest/auth.getSession

    I got the SessionKey here and work fine so far. Now, I can post News or upload video files to my profile.

  41. 2010.12.09 @ 20:18 ugg boots

    i like your blog and article.thanks and bookmark it

  42. 2011.02.17 @ 5:01 Ankur Kapoor

    Good work man, I was banging my head for nearly 10+ hrs to finally get to your article, which ultimately solved my problem … Thanks a lot and keep up the good work

  43. 2011.03.23 @ 5:28 Testingdeveloper Selvam

    i have integrated facebook registration module with my website.I do have normal User registration in my website. Now i have integrated the FB registration with the same user table including some additional parameters to differentiate normal registered users(X) and FB registered users(Y).

    If the normal users(X) For example:User(testxyz) logs into the website and now if they need to link their Facebook account, i have given a page to link there facebook account, when the user enter their facebook details i have updated the user table with there facebook information(facebookid,facebokemail).Now the FB session data will be created for there FB login and now i will be able to show there Friendslist. I have also updated the user details(testxyz) with his Facebook details for his data row in the table once he linked with FB.This is happening right at this moment.

    Problem:

    The same user(testxyz) logout from the website and relogin into the system after sometime. Using his Facebook details, how can i again retrieve all of his friendslist to show up. The Facebook api uses the Session value to show the datas with the api call like $frnd=$facebook->api(‘/me’).The SESSION condition have result value only if the session is stored for the user. So please let me know how can i retrieve the FB Friend details of the user using his FB id stored in the USer table of my database.

  44. 2011.08.03 @ 18:25 Robert Gislason

    Hi.

    I just created a online tool to create this infinite session key without breaking a sweat.

    http://www.robbinn.com/facebook_session_key_creator/index.php

  45. 2011.09.24 @ 7:15 Dhanavanthini Ganapathy

    i am expecting ur rails version for the below code:
    $facebook = new Facebook($facebook_api_key, $facebook_api_secret);

    $infinite_key_array = $facebook->api_client->auth_getSession($auth_token);

    print_r($infinite_key_array);

    dose infinite session key makes user functionality like normal facebook login?

  46. 2011.09.24 @ 7:17 Arivarasan Lingasamy

    hi now i created my infinite session key for my account. where i have to use it in my code. I am developing it in rails 3?

    i am expecting ur rails version for the below code:
    $facebook = new Facebook($facebook_api_key, $facebook_api_secret);

    $infinite_key_array = $facebook->api_client->auth_getSession($auth_token);

    print_r($infinite_key_array);

    dose infinite session key makes user functionality like normal facebook login?

  47. 2012.01.18 @ 9:50 SK Evan

    On step 5, the auth_token that I’ve got is actually 6 digits and I’m not able to generate the infinite key, all I get is the HTTP 500 error.

Sorry, the comment form is closed at this time.