I used facebook login button that fetches the public profile and saves the email address in the database for the user, next time if the user logged out and logged in again, I search his email in the database. This method doesn't seem good because if the user was logged in and left the app, then opened it with no internet connection, the session is opened but without fetching the user public profile again, so he is logged in using facebook but I'm unable to know who he is! because I'm not being receiving any data of the user on this login! So I thought maybe I should store the AccessTokens on session open, but I'm not sure if this is the right way to go, and I don't know if this tokens identify the user or the app or the session or what! and I read that it could be null, so when can I securely use them if I'm supposed to?
If you use the newest SDK 4.0.1. The Profile is also saved, so you can see who's logged in by looking at Profile.getCurrentProfile(). Also you can get the current user id on the current access token.
The access token is the secret that's used to make graph calls. It is unique, if you store it with the user e-mail, you can use it to associate back to the e-mail.