I'm using CodeIgniter to make a canvas app (this is important), NOT a web app. To my understanding that means I don't have to log the user in like a traditional Facebook Connect app would, by forwarding them onto a Login URL. Facebook should handle that.

However, although I get a full signed request, I'm unable to get a session. Below is my code:

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

use Facebook\FacebookSession;
use Facebook\FacebookRequest;
use Facebook\GraphUser;
use Facebook\FacebookRequestException;
use Facebook\FacebookCanvasLoginHelper;

class Welcome extends CI_Controller {

    public function index()
    {
        FacebookSession::setDefaultApplication('303962883111629', '71b94393839fc34d2cfd43006791c5ca');

        $helper = new FacebookCanvasLoginHelper();
        try {
            $session = $helper->getSession();
            echo '<pre>';
            print_r($helper);
            echo '</pre>';
        } catch(FacebookRequestException $e) {
            // When Facebook returns an error
            echo "Exception occured, code: " . $e->getCode();
            echo " with message: " . $e->getMessage();
        } catch(\Exception $e) {
            // When validation fails or other local issues
            echo "Exception occured, code: " . $e->getCode();
            echo " with message: " . $e->getMessage();
        }

        if ($session) {
            // Logged in
            $me = (new FacebookRequest(
                $session, 'GET', '/me'
            ))->execute()->getGraphObject(GraphUser::className());

            echo '<pre>$me: '.print_r($me, true).'</pre>';
        }
    }
}

This outputs the following (some values removed for obvious reasons):

Facebook\FacebookCanvasLoginHelper Object
(
    [signedRequest:protected] => Facebook\Entities\SignedRequest Object
        (
            [rawSignedRequest] => FmHcCuoY8lW9MXgqu5jQYrdzXQAhSC1GtCdPzeX**[partially-removed]**XNlciI6eyJjb3VudHJ5IjoiZ2IiLCJsb2NhbGUiOiJlbl9HQiIsImFnZSI6eyJtaW4iOjIxfX19
            [payload] => Array
                (
                    [algorithm] => HMAC-SHA256
                    [issued_at] => 1405023802
                    [user] => Array
                        (
                            [country] => gb
                            [locale] => en_GB
                            [age] => Array
                                (
                                    [min] => 21
                                )

                        )

                )

        )

    [appId:protected] => **[removed]**
    [appSecret:protected] => **[removed]**
    [state] => 
)

$session is set, but is NULL.

In a Canvas Facebook app, you need to ask the user to authorize your application to recover their unique identifier (and some other stuff).

All you can get without that is the langage of the user, and if he likes or not the page where you Canvas app is located. That's it.

So yes, you need them to log in to your application, and then you will be able to access their unique identifier. Otherwise you will always get a NULL answer.

I generaly use their Javascript SDK to fire the login popup in the canvas app, so that the user stays in the same windows.

I hope this will help you !