Platform Update: PHP SDK 3.0.0 Arrives, Client-Side Re-Authentication, & More

In the most significant update for developers from last week, Facebook pushed out the latest version of its PHP SDK late last week, well ahead of its self-imposed deadline of July 1st. The move is part of the company’s wider effort to increase security around users and their data, in the face of evidence showing data leaks.

The new PHP SDK, version 3.0.0, improves from the previous 2.2.x version by using the industry-standard OAuth authentication standard over Facebook’s prior flow. It delineates between two classes of data, one for most data, and a separate class for handling user IDs and access tokens — IDs and tokens have at various points been reported to be leaking out of applications, potentially allowing third parties to gather data and access users without the proper permissions.

Facebook is telling developers who only use the PHP SDK to update now; those using the Javascript SDK should wait four weeks, until Facebook introduces that updated version as well. The timeline, via the Facebook developer blog post on the topic (which you should also check for coding examples and more detail on the transition).

Login Flow Upgrade
PHP SDK for login and API calls Now
JS SDK for login and PHP SDK for API calls 4 weeks
JS SDK for login and API calls 4 weeks

On a related note, Facebook reiterated developers in its weekly update last Friday that they should run through a check-list of causes if they discover that user access tokens have expired. Some offline mode tokens were leaking, security firm Symantec discovered recently. Facebook said in the post that among other reasons, it could invalidate access tokens for security reasons — the reminder could be due in part to Facebook expiring tokens that it believes were compromised.

The weekly post included a few other notable items, too. Facebook recently introduced a server-side method for developers to require users to re-authenticate passwords to confirm identities, such as when they are clicking to complete a purchase on a shared computer; now it is also introducing a client-side method to do the same. And, as of tomorrow, Facebook will remove the old version of the Insights dashboard, as it rolls out the new version.