[Catalyst] Catalyst::Plugin::Session, Facebook, and Custom Session ids

Jim Spath jspath at pangeamedia.com
Tue Jun 5 14:35:24 GMT 2007

Matt S Trout wrote:
> On Mon, Jun 04, 2007 at 11:44:50AM -0400, Jim Spath wrote:
>> Is there any way to disable the validation of session ids?  Seems like 
>> it would be a somewhat useful option for those cases (like interfacing 
>> with Facebook), where the session ids are pre-created.
> sub validate_session_id { 1 }
> might work. But don't blame me if it breaks something :)

I have a working Facebook state plugin now.  It overrides 
get_session_id, generate_session_id, and validate_session_id.

One gotcha I found was that since Facebook always passes a session key 
with its users, my get_session_id() was always returning a session key. 
  This was a problem when I needed to log users in a create a new 
session, because Catalyst was behaving as if it already had a session, 
and wouldn't create a new one.

My solution was to use a hidden field on Facebook logins called 
fcbk_login.  get_session_id() checks for this request parameter, and if 
it is present, will not return the Facebook session key.  I don't really 
like this solution as it requires a particular parameter to be in the 
login form template, but I couldn't think of a better way to deal with it.

Here's the module in its current state, feedback would be welcome...

package Catalyst::Plugin::Session::State::FcbkToken;

use base qw/Catalyst::Plugin::Session::State/;

use strict;
use warnings;

use NEXT;

our $VERSION = "0.01";

sub get_session_id {
   my ($c) = @_;

   # get facebook session id from parameter unless user is
   # trying to login

   if (!$c->request->param('fcbk_login') &&
       (my $sid = $c->request->param('fb_sig_session_key'))) {

     # indicates that we used a facebook session key
     $c->stash->{'fcbk_token_found'} = 1;

     $c->log->debug(qq/Found facebook session key "$sid"/) if $c->debug;

     return $sid;



sub validate_session_id {
   my ($c, $sid) = @_;

   # properly validate facebook session ids
   if ($c->stash->{'fcbk_token_found'}) {
     return $sid && $sid =~ /^[-a-f\d]+$/i;


sub generate_session_id {
   my ($c) = @_;

   if (my $sid = $c->request->param('fb_sig_session_key')) {

     $c->log->debug(qq/Created sessionid using facebook session key "$sid"/)
       if $c->debug;

     return $sid;



Thanks for the help everyone!

- Jim

More information about the Catalyst mailing list