Back to News for Developers

Migrating to OAuth 2.0 update: PHP SDK v.3.1.1

August 9, 2011ByJerry Cain

As communicated on our Developer Roadmap, the PHP SDK has been updated to version 3.1.1 to leverage recent changes to the JavaScript SDK. The JavaScript SDK sets a cookie that identifies the connected user (if the cookie parameter is set to true). The PHP SDK can easily access this cookie when used in the same domain. This allows you to connect the user to your site or app using the JavaScript SDK (FB.login or the Login Button) and then call Platform APIs from server-side PHP without doing additional work.

The example below shows how the PHP SDK and JavaScript SDK work together:


require 'php-sdk/src/facebook.php';

$facebook = new Facebook(array(
  'appId'  => 'YOUR_APP_ID',
  'secret' => 'YOUR_APP_SECRET',

// See if there is a user from a cookie
$user = $facebook->getUser();

if ($user) {
  try {
    // Proceed knowing you have a logged in user who's authenticated.
    $user_profile = $facebook->api('/me');
  } catch (FacebookApiException $e) {
    echo '<pre>'.htmlspecialchars(print_r($e, true)).'</pre>';
    $user = null;

<!DOCTYPE html>
<html xmlns:fb="">
    <?php if ($user_profile) { ?>
      Your user profile is 
        <?php print htmlspecialchars(print_r($user_profile, true)) ?>
    <?php } else { ?>
    <?php } ?>
    <div id="fb-root"></div>
      window.fbAsyncInit = function() {
          appId: '<?php echo $facebook->getAppID() ?>', 
          cookie: true, 
          xfbml: true,
          oauth: true
        FB.Event.subscribe('auth.login', function(response) {
        FB.Event.subscribe('auth.logout', function(response) {
      (function() {
        var e = document.createElement('script'); e.async = true;
        e.src = document.location.protocol +

Reminder: Migrate to OAuth 2.0 and HTTPS by October 1, 2011

With this update to the PHP SDK, all apps can now easily migrate to OAuth 2.0.

By October 1, 2011, we require that all website and canvas apps must exclusively support OAuth 2.0 (draft 20). All canvas apps must use the signed_request parameter. This also implies that old, previous versions of our SDKs will stop working, including the old JavaScript SDK.

You can ensure that you have migrated by:

In addition, an SSL Certificate is required for all Canvas and Page Tab apps by October 1. Contrary to some feedback we’ve heard, acquiring an SSL certificate is relatively inexpensive, and the ongoing cost of supporting SSL for most apps is low. The sooner your app supports HTTPS the more secure our platform will become. A warning will be issued in the Developer App if you do not have the appropriate Secure URLs filled.

Please let us know if you have any questions or feedback in the Comments below.