Another new thing in SFC 1.0 is the new Login and Registration mechanism. The login mechanism in the older SFC worked, but it was slightly buggy and didn’t work very well. The new mechanism works quite well indeed.
Login screen with Facebook popup
For starters, it will auto-connect existing accounts to Facebook, based on matching email addresses. Just Login with your FB credentials, and if you’re using the same email in both sites, then it auto logs you in based on that. Your account gets automatically connected to your Facebook Profile, and this appears in the “Howdy” dropdown as well as on your Profile.
Howdy dropdown
This may seem insecure to some, however the mechanism behind the scenes is that Facebook sets a cookie in your browser, and cryptographically signs it. Your Application Secret is the key used to decode this signature, thus proving it came from your Facebook application, and eliminating the risk of having users log in without your valid credentials.
However, this does point out something everybody should know: Secrets are supposed to be secret. So keep your Facebook Application Secret a real secret. This applies anytime you’re setting up interconnected web applications. Secrets are called that for a reason.
Registration Flow
In order to integrate Login and Registration using Facebook, Facebook came up with what is essentially a flow diagram explaining the steps an app should use to login and register somebody to a third party site.
Facebook's rather complex registration flow diagram
This rather complex looking flowchart shows how a site which has its own login and registration mechanism can implenent Facebook. I’ve followed this chart as best as possible, and thanks to FB’s Registration plugin, it works quite well now. Here’s how it breaks down.
For existing users:
- You click the Login button.
- You login to Facebook if needed.
- If your email on Facebook matches your email in WordPress, you’re logged in and your account is automatically connected.
- If your email doesn’t match, then you can log in normally with WordPress instead, and connect your account manually, on the Users->Your Profile screen.
For new users:
- You click the Login button.
- You login to Facebook if needed.
- If no account can be found for you from the login process, you get redirected to the Register page.
- There the Facebook register plugin shows up and lets you register for the WordPress site, using your Facebook credentials. All it asks for is a username and to solve a CAPTCHA (to prevent spam registrations).
- You get a new WordPress account, already connected to Facebook for you. It even emails you a password.
Registration screen
Some have expressed concern that Facebook seems required for registration. This is not actually the case, because after all, not everybody uses Facebook. One of the nice things about the FB Register plugin is that it has different methods for Facebook connected users vs. non-Facebook connected users. Both types of users can register for the site. Facebook users get some advantages like having their account automatically connected and not having to type in an email address, but the basic process is the same.
For new users not using Facebook:
- You click the Register link.
- The Facebook register plugin shows up and lets you register for the WordPress site. It will ask for a username and your email address, as per the normal registration process. It does have the CAPTCHA too, and tells you that you can login using Facebook as well, if you want.
- You get a new WordPress account, and it emails you a password.
Registration screen
And after logging in and having it recognize you, the user will be automatically connected to their account on their Profile page.
Facebook Connection shown on the Profile Page
If you want to try the new version now, I’ve finally moved it into the normal “trunk” directory on the repository at WordPress.org, so you can download the ZIP file of the plugin here:
http://downloads.wordpress.org/plugin/simple-facebook-connect.zip
Release date: soon. Real soon now. 🙂
