Note on Facebook’s secure cookie format
In their new secure cookie format, Facebook provides an OAuth code, which Koala automatically exchanges for an access token. Because this involves a call to Facebook’s servers, you should consider storing the user’s access token in their session and only calling get_user_info_from_cookies when necessary (access_token not present, you discover it’s expired, etc.). Otherwise, you’ll be calling out to Facebook each time the user loads a page, slowing down your site. (As we figure out best practices for this, we’ll update this wiki.)
Let me get this straight: even if I use the Javascript SDK to parse the cookies I still need to do a server-to-server call to facebook? Doesn't this make the whole java script SDK for user authentication kind of useless? I always need to check the cookies (so I won't have a stale access token) thus calling facebook every time?
What this quote is talking about is lightening the load on Ruby by not re-validating the OAuth token with a key exchange btwn Ruby and FB every call.
So, you can save the token in session/db/your own cookie/etc. or you can have FB's JS SDK revalidate it and pass it to you as part of your request.