To improve the user experience for your application, we've added support for session keys that don't expire. This means that users will only have to log in to Facebook once for your application.
... holy shit, you have to be kidding me. To take advantage of infinite sessions, your application should permanently store a user's session key and include it in method calls. You won't ever need to establish a new session on behalf of that user, unless the user explicitly logs out of your application. To see infinite sessions in action, check out the Facebook Exporter for iPhoto - once logged in to Facebook for the first time, users should never have to log in again.
Ok, follow the idiot bread crumbs here. First Facebooks turns down $800 million. Now they are just asking to get 0wn3d with their "infinite" sessions. I never thought I'd use the words "wet dream" and XSRF in the same sentence but this is a wet dream for anyone wanting to write a facebook XSS or XSRF worm. Make you wonder exactly how many bong hits did Mark Zuckerberg do at Harvard? Facebook rolls out infinite session ids |