I’m building a community site and I’ve already built my login and user account system. Now I want to allow people to login using their facebook accounts (and OpenID in the future) and my plan is to do it without javascript. I’ve downloaded the facebook php sdk and while playing with it I noticed that authenticating a user takes about 0.8 seconds on my server. This is probably because the class is using https to connect with the remote facebook server. But I wouldn’t like to slow down every page on my site by 0.8 seconds for facebook users. What would be the best way to get rid of the overhead?
So far this is my idea:
-
Each facebook user will get their own account (record in the db) on my site, which will contain the facebook user id apart from the regular user id. The account will be automatically created after logging in if it doesn’t exist.
-
After logging in I will not contact facebook anymore for authentication but will use the login system of my site to manage his or her login state. This way my site will not get slower.
One drawback of this solution will be that when the user logs out of the facebook.com site they will still be logged in on my site because I will not be authenticating them at facebook.com anymore - they will have to use the logout button on my site to log out of my site. As a workaround I’m considering authenticating the user at facebook every 10 minutes to check whether their session at facebook is still alive and log them out if it’s not.
To me this sounds reasonable, but I’m not sure if I haven’t overlooked any security or other problems with this approach. Any ideas will be appreciated.