Index: fb_session.inc
===================================================================
--- fb_session.inc      (revision 2770)
+++ fb_session.inc      (working copy)
@@ -1,6 +1,13 @@
 <?php
+// $Id$

 /**
+ * @file
+ * FB session management.
+ *
+ */
+
+/**
  * Here we override Drupal's session management.  Actually, we try not
  * to change things, unless we're servicing a facebook app.  We
  * include drupal's session.inc at the end of this file so that
@@ -60,7 +67,7 @@
   $new_session_name = "fb_canvas_{$nid}_" . $orig_session_name;
   if (isset($_REQUEST['fb_sig_session_key']))
     $new_session_id = "fb_canvas_{$nid}_" . $_REQUEST['fb_sig_session_key'];
-  else if ($orig_session_id) {
+  elseif ($orig_session_id) {
     // When user is logged into facebook, but not authorized app, cookies are honored.  (confirm this???)
     $new_session_id = "fb_canvas_{$nid}_" . $orig_session_id;
   }
@@ -75,47 +82,49 @@
       $_REQUEST['fb_sig_in_iframe']) {
     fb_settings(FB_SETTINGS_SESSION_KEY, $_REQUEST['fb_sig_session_key']);
   }
- }
- else if ($nid && variable_get('fb_session_cookieless_iframe', FALSE) &&
+}
+elseif ($nid && variable_get('fb_session_cookieless_iframe', FALSE) &&
           ($sess_key = _fb_settings_parse(FB_SETTINGS_SESSION_KEY))) {
-   // using sessionless iframes
-   // similar logic to clause above, using session key in url path
-   $new_session_id = "fb_canvas_{$nid}_" . $sess_key;
-   $new_session_name = "fb_canvas_{$nid}_" . $orig_session_name;
- }
- else {
-   // Try to learn session key from cookies (Facebook Connect)
-
-   $apikey = NULL;
-   // Discover APIKEY by inspecting cookies.
-   // This could be made more efficient by looking only for the primary apikey.  I hesitate because some sites may need to support multiple connect apps. (I.e. one for the website and other for resizeable iframes in canvas pages)
-   foreach ($_COOKIE as $key => $value) {
-     if ($pos = strpos($key, '_session_key')) {
-       $apikey = substr($key, 0, $pos);
-     }
-   }
-
-   if ($apikey && isset($_COOKIE[$apikey . '_ss'])) {
-     // We're logged into Facebook Connect.
-     // If fbConnect, we want to use another session id, so that if the
-     // user logs out of facebook, they are also logged out of drupal.
-
-     // Use globals to remember some values, for fb_connect.module to use.
-     $GLOBALS['fb_connect_apikey'] = $apikey;
-
-     // Rename the session id, so the Facebook Connect session is distinct from the original drupal session.
-     $new_session_id = 'fb_connect_' . $_COOKIE[$apikey . '_session_key'];
-
-   }
- }
+  // using sessionless iframes
+  // similar logic to clause above, using session key in url path
+  $new_session_id = "fb_canvas_{$nid}_" . $sess_key;
+  $new_session_name = "fb_canvas_{$nid}_" . $orig_session_name;
+}
+else {
+  // Try to learn session key from cookies (Facebook Connect)

+  $apikey = NULL;
+  // Discover APIKEY by inspecting cookies.
+  // This could be made more efficient by looking only for the primary apikey.
+  // I hesitate because some sites may need to support multiple connect apps.
+  // (I.e. one for the website and other for resizeable iframes in canvas pages)
+  foreach ($_COOKIE as $key => $value) {
+    if ($pos = strpos($key, '_session_key')) {
+      $apikey = substr($key, 0, $pos);
+    }
+  }
+
+  if ($apikey && isset($_COOKIE[$apikey . '_ss'])) {
+    // We're logged into Facebook Connect.
+    // If fbConnect, we want to use another session id, so that if the
+    // user logs out of facebook, they are also logged out of drupal.
+
+    // Use globals to remember some values, for fb_connect.module to use.
+    $GLOBALS['fb_connect_apikey'] = $apikey;
+
+    // Rename the session id, so the Facebook Connect session is distinct from the original drupal session.
+    $new_session_id = 'fb_connect_' . $_COOKIE[$apikey . '_session_key'];
+  }
+}
+
 if (isset($new_session_name)) {
   session_name($new_session_name);
- }
+}

 if (isset($new_session_id)) {
   if (!variable_get('fb_session_long_keys', TRUE)) {
-    // Facebook appends user id, time and expiry info which is not necessary for uniqueness.  Here we truncate that information to ensure the sid fits in sessions table.
+    // Facebook appends user id, time and expiry info which is not necessary for uniqueness.
+    // Here we truncate that information to ensure the sid fits in sessions table.
     $new_session_id = substr($new_session_id, 0, 64);
   }
   if ($new_session_id != $orig_session_id) {
@@ -129,22 +138,22 @@
     // If we've changed the session id, disable drupal's caching
     $GLOBALS['conf']['cache'] = 0;
   }
- }
- else {
-   // No session from facebook, so make sure we're not using an out of date one.
-   if (strpos($orig_session_id, 'fb_connect') === 0) {
-     // Old fbconnect session can be deleted
-     db_query("DELETE FROM {sessions} WHERE sid='%s'", $orig_session_id);
-     session_id(md5(uniqid(microtime()) . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']));
-   }
-   else if (strpos($orig_session_id, 'fb_connect') === 0) {
-     // Canvas session should not be deleted as it could be a user visiting both the website and an iframe app
-     if (!$nid)
-       session_id(md5(uniqid(microtime()) . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']));
-   }
- }
+}
+else {
+  // No session from facebook, so make sure we're not using an out of date one.
+  if (strpos($orig_session_id, 'fb_connect') === 0) {
+    // Old fbconnect session can be deleted
+    db_query("DELETE FROM {sessions} WHERE sid='%s'", $orig_session_id);
+    session_id(md5(uniqid(microtime()) . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']));
+  }
+  elseif (strpos($orig_session_id, 'fb_connect') === 0) {
+    // Canvas session should not be deleted as it could be a user visiting both the website and an iframe app
+    if (!$nid) {
+      session_id(md5(uniqid(microtime()) . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']));
+    }
+  }
+}

-
 if ($nid && !isset($_COOKIE[session_name()])) {
   // requests from facebook (FBML canvas pages) will not have cookies.
   // We want Drupal's session.inc to work properly, as if the session
@@ -153,10 +162,7 @@
     // Remember that cookies are actually disabled, some apps will want to display a message and/or redirect in this case.
     $_COOKIE['_fb_cookie_fake'] = TRUE;
   $_COOKIE[session_name()] = session_id();
- }
+}

-
 // Finally, include the logic of Drupal's session.inc
 include('includes/session.inc');
-
-?>
\ No newline at end of file