I have a Facebook app which loops forever when run in IE. In other browsers it works fine.

I need your help to debug this, but before that I need to mention how I have implemented it.

FB recommends that when user tries to access the app we should redirect the user to the app authorization page. From there FB will redirect (using 302 code) to an url which we like. In this case I ask FB to redirect to my app's url with a flag appLogin=1 in query string. But along with that FB attaches a really long param code in the query string which is quite ugly. So, in this case I put a flag LoggedIn in my PHP session and redirect the user back to the app url using a JS code window.top.location.href = <app url>. This cleans the url in the location bar.

This works fine in Firefox and Chrome, but in IE LoggedIn flag is missing from the session after the code redirects from appLogin stage. In fact it seems the PHP session has reset in this case. This confuses my app into believing that this is an initial request so it redirects user to the authorization page.

I hope the above makes sense. Really appreciate any insight.

Update1:

As requested. Here goes the code snippet.

$reset = false;
$topRedirect = true;

if (isset($_REQUEST['appLogin'])) {
    resetSession();
}
session_start();

$facebook = new Facebook(array(
  'appId' => $AppId,
  'secret' => $AppSecret,
  'cookie' => true,
));

if (isset($_REQUEST['appLogin'])) {//Comes here when appLogin is set, i.e. we have just been redirected here from OAuth (authorization) page.

    if (isset($_REQUEST['error'])) {
        if ($_REQUEST['error_reason'] === 'user_denied') {
            $msg = "You need to click on 'Allow', so that this App can fetch the data needed.";
            $allowRetry = true;
            include('error.php');
        }
    }

    $authToken = $facebook->getUserAccessToken(); //This was originally protected. Made public for my purpose.
    if ($authToken === false) {
        //If no user token found and it wasn't even an error then this is totally unexpected.
        $msg = "Totally unexpected error occurred!";
        $allowRetry = true;
        logErr($msg);
        include('error.php');
    }

    $_SESSION['LoggedIn'] = 1;
    $reset = false;
    $url = $AppUrl; //We redirect again to clean the url.
    include('redirect.php');
} else {
    if (!isset($_SESSION['LoggedIn']) || $facebook->getUserAccessToken() === false) {
        //If we are here then this is an initial request.
        $reset = false;
        $url = $OAuthUrl;
        include('redirect.php');
    }
}

$accessToken = $facebook->getAccessToken();

Update2:

The included files - redirect.php and error.php invoke exit() when their processing is done. So the code after them won't get executed.

It's a problem with redirects. IE handles them differently.

You can solve that with a simple P3P policy HTTP header you can send:

P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"

In PHP, that would be:

header('P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');

The reason is that IE needs P3P policies in place when using frames, since your application runs inside an iframe and its parent belongs to a different domain (this case Facebook.com), then cookies will not work (unless P3P policies are being set). And since cookies won't work, then you are probably looping with your redirects used to login to Facebook.

Solution: need to implement P3P header to tell the browser that cookies for your application inside iframe are OK for user privacy.

I noticed something else in your code. You don't need a comma after 'cookie'=>true. That will mess things up in IE.