Surprise! Facebook's login.php has Changed

I just noticed that one of my deployed Facebook applications was no longer working properly when it was being accessed from outside Facebook. This application allows users to make comments on abstract artwork (Its is at www.FulcrumGalleries.com). It is also running on Facebook as an application called What is Art. It is built with the Ringside Newtwork's Social Application Server which allows this type of dual deployment though the use of a Javascript widget.

This application can use Facebook to log users in when they are using the What is Art application directly from the Fulcrum website. It does this by deferring to Facebook for authentication. This is achived by following Facebook's posted authentication rules for web and desktop apps located here.

What I started seeing is quite different than the posted procedure. Originally, an application could redirect to login.php with an api_key as a parameter with the intention of logging in to a specific application. Login.php would then redirect to the calling application's callback_url with an auth_token which could then be converted into a Facebook session by calling auth.getSession. You would then use that session for all future API calls.

Well now I am seeing a different behavior in login.php. It now returns a parameter called session when it calls the callback_url. Session looks like this:

{"session_key":"263101aaf6065b08763196df-558462736","uid":"558462736","expires":0,"secret":""}

As you can see, the session parameter has the actual session_key inside it already, completely allowing you to skip the call to auth.getSession! I guess this is a time saver but supporting this change took some re-coding to get my app working again. It might be a good idea to start running a functional test against login.php daily just in case it changes again.