The type of sites that almost every Internet user has signed up for are Social Networks, and the most popular of these Social Networks is Facebook. People are always logged-in to their favorite Social Network. The best part about these Social Networking sites is that they facilitate a feature that allow other programs or sites to communicate with their Servers to Retrieve information about you through their API which is similar to the ones from Jitterbit. Using this feature opens up many possibilities one of which is Authentication – The Act of confirming one’s Identity. You can easily Login one of your users by just looking at who your user is logged-in as on Facebook. Facebook Login is common all around the web. To give you some ideas on web design online just visit Web Design Cardiff.
Many sites use Facebook Login, for example: Vimeo, Khan Academy, Tech Crunch, PasteBin
This is a little bit of hassle for the developer but it enhances User Experience by simplifying the Login procedure as it doesn’t require your users to remember Login details.
Are you Ready?
To continue this tutorial you must know of HTML, PHP, MySQL and a little bit of CSS just to make things look nice. (Javascript based features are not included for the sake of simplicity)
You must understand what Sessions are and you must also understand how to use MySQL with PHP. We are going to use the MySQLi PHP Extension for this tutorial.
Setup Facebook Application
We must let Facebook know that our website will be communicating with their servers. To do that we have to setup a Facebook Application and we also have to make sure we have a website development company helping us out…
- Login to your Facebook account
- Go to this address: https://developers.facebook.com/apps
- Click this button on the top right corner of the page:
- Fill in the “App Name” Field with your site’s name
- Fill in the other Information…
- Make sure you add your website domain with both www. and without…
- Don’t forget the slash(/) at the end of the site URL..
- Remember to disable Sandbox Mode…
- Copy down these two pieces of information somewhere else, we will need it later and be sure to show it to Absolutely No One especially the “App Secret“. Anyone else knowing these may pose a Security Threat.
- Now Save Changes….
CONGRATULATIONS! You have finished Setting Up your Facebook app!
A Few things to note
- Facebook will only accept Logins from the URLs provided.
- You may(for testing purposes) change the Site URL to “http://localhost/fb_login/“
and the App Domains to just “localhost“ - If you don’t want to change the settings then all testing must be done on the server that is running at the provided Domain & URL
Prepare a Basic site with a Simple Login System
For your convenience we have prepared one for you, so you don’t have to waste your time making a simple login System
Caution: Do not follow this as a good example for a Login System. This is very Basic and has many Security holes. The code is only for testing and understanding the Facebook Login procedure.
Instructions
- Copy and paste the files inside the Zip folder to a test directory on your server
- Make a database in your MySQL server named “fb_login“
- Execute this piece of SQL inside your fb_login Database. This creates a table named “users” and fills it with example data…
CREATE TABLE IF NOT EXISTS `users` ( `id` int(10) NOT NULL AUTO_INCREMENT, `username` varchar(100) NOT NULL, `name` varchar(100) NOT NULL, `email` varchar(100) NOT NULL, `password` varchar(200) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=3 ; INSERT INTO `users` (`id`, `username`, `name`, `email`, `password`) VALUES (NULL, 'awesome', 'Awesome Person', 'awesome-guy@my-awesome-website.com', 'awesome'), (NULL, 'amazing', 'Amazing Person', 'amazing-guy@my-awesome-website.com', 'amazing')
- Execute this piece of SQL, but this time replace the fields with your
- Any Username you choose
- Name
- Email address that you used on Facebook
- Any password of your own choice
INSERT INTO `users` VALUES (NULL, 'A USER NAME OF YOUR CHOOSING', 'YOUR NAME', 'YOU EMAIL ADDRESS THAT YOU USED ON FACEBOOK', 'A PASSWORD OF YOUR CHOOSING' );
- Go back to your test Directory and open the file named “config.php” inside your favorite code Editor
- Edit this line according to your MySQL Server settings.
$db = new mysqli("HOST", "USERNAME", "PASSWORD", "fb_login");
For Example:
$db = new mysqli("localhost", "root", "root", "fb_login");
- Save the file.
Now open the URL to your test directory(in my case: http://localhost/fb_login/) in your browser. If you have followed all the instructions correctly then you should be greeted by a page that looks like this:

Test Site Homepage
Test the site login by either using the details you used in Step#4 of the Instructions or:
Username: awesome
Password: awesome
After testing everything, you will notice that the “Login with Facebook” button doesn’t do anything. That button is linked to a file named “login_facebook.php“, this file is left blank intentionally so that you can follow this tutorial and code the Facebook Login system yourself.
A Little overview on what all the other files do:
- index.php: The Main Page(aka. Homepage).
- login_normal.php: The script that handles the standard login. It check if you have properly written your Username & Password, then if you have, it tries to match the password you have written with the password stored in the database. If both match then it sets a session variable named $_SESSION[“user”] with the id of the user who logged in.
- logout.php: unsets the variable $_SESSION[“user”] in turn logging out the user.
- profile.php: Simply gets information from the database according to the id set inside $_SESSION[“user”] and displays it.
- config.php: Initializes the MySQL Database Connection and stores the connection handle in a variable named $db
Facebook Login
So open the login_facebook.php file in your Code Editor of choice then start the session, include the database connection file and set the App ID, App Secret and Redirect URI into variables as so:
<?php session_start(); include("config.php"); $app_secret = "YOUR APP SECRET"; $app_id = "YOUR APP ID"; $redirect_uri = urlencode("URL TO YOUR login_facebook.php SCRIPT");Example Variable values:
$app_secret = "dca0448bca2a4445c0b69cef34bfe09d"; $app_id = "392754540811317"; $redirect_uri = urlencode("http://localhost/fb_login/login_facebook.php");Now observe this diagram with attention:
Diagram giving an Overview of the whole Facebook Authentication Process
So lets assume the first step is complete, but your user isn’t going anywhere yet. We must redirect the user to the Facebook Login Dialog. So what exactly is this so called Dialog?
This is the so called Dialog
Facebook OAuth Dialog
This can be shown to the users by redirecting them to a URL that looks like this:-
https://www.facebook.com/dialog/oauth?client_id={YOU APP ID}&redirect_uri={FACEBOOK LOGIN HANDLING URL}
Remember Step#6 of Setup Facebook Application? Yes, that is where you will get your “App ID”. The “FACEBOOK LOGIN HANDLING URL” is the URL to the PHP script that will handle the Facebook Login.
An Example URL to invoke the Facebook OAuth Dialog:-
https://www.facebook.com/dialog/oauth?client_id=508015629253444&redirect_uri=http://localhost/fb_login/login_facebook.phpYou could be a Object Oriented Guru but as this tutorial was intended for Beginners so we will use the normal, procedural method. So lets write up a Function to redirect our users…
function dialog(){ global $app_secret, $app_id, $redirect_uri; header("location: https://www.facebook.com/dialog/oauth?client_id=$app_id&scope=email&redirect_uri=$redirect_uri "); }This URL alone is enough for getting your user’s First Name, Last Name and other basic information, but no we need a little more then this. We need the user’s email address in order to authenticate a user into our site. So to let Facebook know we will be needing the email address, we must send a third parameter called “scope“. The Scope parameter contains a comma separated list of special Permissions like in our case: “scope=email“. (For the full list of permission that can be requested click here)
Just as a security measure, a fourth URL parameter named “state” should be sent. This state should be a randomly generated string. The string should also be stored in a session variable temporarily so that when the string will be passed back to your site after a successful authentication in the “state” parameter once again you can match it with the session variable to confirm that the request was not a result of a Cross-Site Request Forgery.
So here is the revised dialog() function that includes the scope parameter and also sends and stores the state parameter and a Random string generator function:-
function generate_state(){ return md5(uniqid(rand(),TRUE)); } function dialog(){ global $app_secret, $app_id, $redirect_uri; $state = generate_state(); $_SESSION["state"] = $state; header("location: https://www.facebook.com/dialog/oauth?client_id=$app_id&scope=email&redirect_uri=$redirect_uri&state=$state "); }Calling calling the dialog() function will start redirecting your user to the OAuth Dialog but if we don’t add any logic then your users will be stuck in a Infinite Redirection Loop. To start coding the logic in, you must know what parameters are passed back to your site when one of the two buttons are clicked. Here is a Diagram:-
URL Parameter that are sent back
So to check if your user clicked “Okay” we can check if the “code” parameter is set. To check if the user clicked “Cancel” we can check if the parameter “error” is set, and if neither is set then it must mean the page is being requested for step#1 of the authentication process, that’s when we can call the dialog() function. So in code it should look something like:-
if(isset($_REQUEST["error"])){ header("location: index.php"); }elseif(isset($_REQUEST["code"])){ // [IGNORE THIS BLOCK OF CODE FOR NOW] if(isset($_REQUEST["state"]) && $_REQUEST["state"]==$_SESSION["state"]){ $access_token = get_access_token(); $data = getData($access_token); authenticate_user($data["email"]); } // [IGNORE THIS BLOCK OF CODE FOR NOW] }else{ dialog(); }You could do a lot of fancy things when the user clicks the “Cancel” button like: you can Display out the error, error_reason & error_description parameters or you could save it in a session variable and show which button to click on the homepage, but for now we will just redirect the user back to the homepage.
In the code block on the middle(the one you were asked to temporarily ignore), the one which executes when the user clicks “Okay” – the passed back “state” value and the value stored in $_SESSION[“state”] are matched to protect against Cross-Site Request Forgery. Also, three new functions are introduced that we didn’t declare yet. They are: get_access_token(), getData() and authenticate_user().
Function: get_access_token()Lets start understanding and writing the get_access_token() function. First we need to understand what a Access Token is. Access Tokens are strings which is used as a temporary passcode to be able to communicate with the Facebook servers. It has to be sent as a parameter of every request we send to Facebook’s graph API as such:
https://graph.facebook.com/me/friendlist?access_token=CAACEdEose0cBADBeKF7456meGvgHGK7ZAetsoNnLTXZBxzsVpz5dvilZCN3ACXrXZAuvuDbA7aWjdLeOXVy5enZCZAUmNa9VmZBwwvVfZBoZBzIXBazyuBn41ctuQeSnCI9an420ii5tV83R9vZBUFmxjmM4sMZCoAsUvMnHiNOHXqOcgZDZDYes! I know, that’s quite a long string! but that is an example of an access token. Each access_token is valid for only about 1 or 2 hours. Every new Access Token is unique and they are binded to a Specific user using a specific Application at a specific time frame.
Note: Every request to the Facebook API requiring an access token must be done over a HTTP Secure(https://) Connection.
To obtain an access_token we have to trade the value of the “code” parameter. This can be done by sending a get request to an end-point and passing the code as a parameter. Example:-
https://graph.facebook.com/oauth/access_token?client_id=508015629253444&redirect_uri=http://localhost/fb_login/login_facebook.php&client_secret=[THE SECRET STRING YOU COPIED DOWN FROM HERE]&code=[THE VALUE OF THE CODE PARAMETER]Requesting this URL will return a String that looks like a query string of an URL. Example:-
access_token={access-token}&expires={seconds-til-expiration}
Lets wrap this all up into a function:
function get_access_token(){ global $app_secret, $app_id, $redirect_uri; $code = $_REQUEST["code"]; $call = file_get_contents("https://graph.facebook.com/oauth/access_token?client_id=$app_id&redirect_uri=$redirect_uri&client_secret=$app_secret&code=$code"); parse_str($call); return $access_token; }We could have used the PHP cURL Library but to keep it simple, we have not used that.
The parse_str() function converts a query string into variables. Example:
parse_str("access_token=an_access_token&expires=3000"); echo $access_token; echo "<br>"; echo $expires;will output:
an_access_token 3000
Function: getData()So we got our Access Token, what’s next? Now we have to use this Access Token to get information about the user, especially the email address. We can do this by calling the “/me” from the Facebook Graph API. Example:-
https://graph.facebook.com/me?access_token=[ACCESS TOKEN]The response from Facebook would be something like:-
(This example response was the result of requesting “/me” logged-in as me){ "id": "100000299160491", "name": "Omran Jamal", "first_name": "Omran", "last_name": "Jamal", "link": "http://www.facebook.com/Omran.Jamal", "username": "Omran.Jamal", "gender": "male", "email": "o.jamal97@gmail.com", "timezone": 6, "locale": "en_US", "verified": true, "updated_time": "2013-05-11T11:40:48+0000" }to be more Specific about returning only email and name we can add a “fields” parameter example:-
https://graph.facebook.com/me?fields=name,email&access_token=[ACCESS TOKEN]this is will return(The “id” field is mandatory, so it will be returned anyway):-
{ "name": "Omran Jamal", "email": "o.jamal97@gmail.com", "id": "100000299160491" }The responses from the Graph API are in JSON format, thankfully PHP has built-in JSON parsing functions so we can manipulate them like normal PHP Arrays. Here is the getData() function:-
function getData($access_token){ $raw = file_get_contents("https://graph.facebook.com/me?fields=name,email&access_token=$access_token"); $array = json_decode($raw,TRUE); return $array; }
Function: authenticate_user()Now that we got our user’s Facebook email address all that’s left to do is to write a function that will match the email address with the database and set the session variable with the corresponding user’s id…
function authenticate_user($email){ global $db; $query = $db->query("SELECT id FROM users WHERE email='".$email."'"); $array = $query->fetch_assoc(); if($query->num_rows==1){ $_SESSION["user"] = $array["id"]; header("location: index.php"); }else{ header("location: index.php"); } }If the email doesn’t match with any in the Database the user is simply redirected back to the homepage.
The full “login_facebook.php” file
<?php session_start(); include("config.php"); $app_secret = "YOUR APP SECRET"; $app_id = "YOUR APP ID"; $redirect_uri = urlencode("URL TO YOUR login_facebook.php SCRIPT"); function generate_state(){ return md5(uniqid(rand(),TRUE)); } function dialog(){ global $app_secret, $app_id, $redirect_uri; $state = generate_state(); $_SESSION["state"] = $state; header("location: https://www.facebook.com/dialog/oauth?client_id=$app_id&scope=email&redirect_uri=$redirect_uri&state=$state "); } function get_access_token(){ global $app_secret, $app_id, $redirect_uri; $code = $_REQUEST["code"]; $call = file_get_contents("https://graph.facebook.com/oauth/access_token?client_id=$app_id&redirect_uri=$redirect_uri&client_secret=$app_secret&code=$code"); parse_str($call); return $access_token; } function getData($access_token){ $raw = file_get_contents("https://graph.facebook.com/me?fields=name,email&access_token=$access_token"); $array = json_decode($raw,TRUE); return $array; } function authenticate_user($email){ global $db; $query = $db->query("SELECT id FROM users WHERE email='".$email."'"); $array = $query->fetch_assoc(); if($query->num_rows==1){ $_SESSION["user"] = $array["id"]; header("location: index.php"); }else{ header("location: index.php"); } } if(isset($_REQUEST["error"])){ header("location: index.php"); }elseif(isset($_REQUEST["code"])){ if(isset($_REQUEST["state"]) && $_REQUEST["state"]==$_SESSION["state"]){ $access_token = get_access_token(); $data = getData($access_token); authenticate_user($data["email"]); } }else{ dialog(); } ?>GREAT! Test out the Site by going to the test Directory address (eg. http://localhost/fb_login/). Then click on the “Login with Facebook” Button. If you have followed this tutorial smoothly and if the email address that you gave in Step#4 of the Instructions and the email address that you use on Facebook matches then you should see that you have been logged in to your site and the main navigation now has a “My Profile” link.
“My Profile” Page
Conclusion
I hope after reading this tutorial you have gotten the basic principle of how the Facebook Authentication works. If you did, then I bet you can customize this basic code to suit your needs and make almost any type of login system work with Facebook. You may try and implement this code in an Object Oriented Style so that you can reuse the Facebook Login system in as many projects as you want with ease, but for now that’s all..:)
Stay tuned to w3programmers for more tutorials from me on Facebook Application Development
Hi, I am Omran Jamal from Bangladesh, a Student of A-Level, and an Intern at Techbeeo. Though young, I am very enthusiastic about Computers. Taught myself how to code when I was 12 and been coding ever since.
Lots of thnx Omran Jamal………became your fan bro…
I like this Website
bro i am getting errors, at my localhost
Warning: Header may not contain more than a single header, new line detected. in C:\xampp\htdocs\fb\login_facebook.php on line 24
on line 20 to 24 you’ll see the code is something like this:
header(“location:
https://www.facebook.com/dialog/oauth?client_id=$app_id&scope=email&redirect_uri=$redirect_uri&state=$state
“);
just remove all the new lines and put all this code into one line as so:
header(“location: https://www.facebook.com/dialog/oauth?client_id=$app_id&scope=email&redirect_uri=$redirect_uri&state=$state“);
Some PHP installations throw an error in this situation and some Don’t ……
Hope this helped,
Good Luck…:)
yeah it worked fine 🙂
By The Way… if its not too much trouble then may I know your PHP Version?
Spot on with this write-up, I truly believe this site needs a great deal more attention. I’ll probably be back again to read more, thanks for the info!
really nice tutorial and worked successfully.
I want to login directly to my site through facebook and i dont want to check database.for this what i do in this code.
Check on Line 66:
authenticate_user($data[“email”]);
remove this line and replace it with:
$access_token = get_access_token();
$userData = getData($access_token);
Now you have a variable named $userData with the user’s Facebook ID, Email Address and Name, use this information to instantly signup or temporarily login the user into your site……
this article is many help me
Hmm is anyone else experiencing problems with the pictures on this blog loading?
I’m trying to figure out if its a problem on my end or if it’s the blog.
Any suggestions would be greatly appreciated.
Sir, rest assured the blog’s images are working fine. Modify your Browser settings, check your internet connection, or at least clear your cache and reload the page(Ctrl+F5).
It’s Excellent
siri am getting errors, at my localhost
its cant redirect on facebook page
this is a my login facebook.php code
query(“SELECT id FROM users WHERE email='”.$email.”‘”);
$array = $query->fetch_assoc();
if($query->num_rows==1){
$_SESSION[“user”] = $array[“id”];
header(“location: index.php”);
}else{
header(“location: index.php”);
}
}
if(isset($_REQUEST[“error”])){
header(“location: index.php”);
}elseif(isset($_REQUEST[“code”])){
if(isset($_REQUEST[“state”]) && $_REQUEST[“state”]==$_SESSION[“state”]){
$access_token = get_access_token();
$data = getData($access_token);
authenticate_user($data[“email”]);
}
}else{
dialog();
}
?>
pls help me
Sorry! The fault is mine. On line 20 to 24 in my code, you’ll see the code is something like this:
header(“location:
https://www.facebook.com/dialog/oauth?client_id=$app_id&scope=email&redirect_uri=$redirect_uri&state=$state
“);
this code is a part of the dialog() function.
just remove all the new lines and put all this code into one line as so:
header(“location: https://www.facebook.com/dialog/oauth?client_id=$app_id&scope=email&redirect_uri=$redirect_uri&state=$state“);
Hope this helped,
Good Luck…:)
Good post. I will be going through a few of these issues as well..
very nice code
It is actually a great and useful piece of information. I’m glad that you shared this
helpful information with us. Please keep us informed like this.
Thank you for sharing.
Gr8 post. I’ll keep continue to visit.
Many thanks….
Salam, Brother a nice effort from you. I appreciate. I downloaded and run this application but when I execute this application using following link, it shows nothing:
http://localhost/facebook-site/login_facebook.php
I have all done all settings which you mentioned in your tutorial.
Thanks
Great post,this is the best tutorial zone I have encounter so far,just keep it up with the great job.
Hi, after reading this awesome piece of writing i am too cheerful to share my familiarity here with friends.
tert
function get_access_token(){
global $app_secret, $app_id, $redirect_uri;
$code = $_REQUEST[“code”];
$call = file_get_contents(“https://graph.facebook.com/oauth/access_token?client_id=$app_id&redirect_uri=$redirect_uri&client_secret=$app_secret&code=$code”);
parse_str($call);
return $access_token;
}
Error: undefined variable $access_token
wrong information
Pingback: Add Login Feature To Website