An algorithm to workout on this

1. Ask for permission from the user
2. Save the token
3. Periodically check for an access token is near to expire or not
4. If its in verse of expiry, embed some dummy iframe, which redirects to the facebook homepage. - Extend auth token without refreshing the page
5. This should refresh the token. You might need to generate another token or continue with the same. Whatever be required, can be done without refreshing the page.

I would subscribe to the expiry trigger (I think this is authResponseChange), then automate another login check. It won't be a perfect solution as it could trigger a pop up (if they have logged out for example) automatically, which a lot of browsers may block. You could instead, when the token expires, check if they will need to complete a pop up, and display a notification on your page somewhere saying 'Facebook needs your attention to continue', then only launch the pop up from their response, which would stop the pop up being blocked.

FB.Event.subscribe('auth.authResponseChange', function(response) {
  // do something with response
  FB.login(){
    // refresh their session - or use JS to display a notification they can 
    // click to prevent pop up issues
  }
});

I presume you are using the iframe signed_request parameter to get your access token. One method of achieving what you require is to use the oAuth 2.0 method of aquiring an access token. This is more prolonged in the first instance; your server and Facebook's have to exchange credentials which can be slow, but it means that you will be given a code that can be exchanged for an access token regularly, meaning your server can maintain the session periodically (probably from an ajax call from the client). You would then pass this new access_token to the client, and use it in your dialog call for your requests (gifts).

Hope that helps.

Spabby

If you get the access_token without specifying any expiry to them they will not expire .. atleast not till the time user either changes his Fb credentials or de registers your application ..

Have you thought of using ajax? After two hours you will check, if user is still active. If so, you send axax request to URL, where his session details will be updated. example:

$(document).ready(function(){
    setInterval('update_session()', 5500000);
})
update_session(){
    $.post({
        URL: ..., // script to update session on server
        data:{ /* username, password */ },
    })
}

and the server-side just takes username and password from post or and runs relogin.

Have a look at https://developers.facebook.com/docs/offline-access-deprecation/#extend_token

basically you extend the token with

https://graph.facebook.com/oauth/access_token?             
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN 

that will give you new token with new expiry time (it should be 60d but I'm noticing similar bug like described here https://developers.facebook.com/bugs/347831145255847/?browse=search_4f5b6e51b18170786854060 )