Basically my question is this.. Can I use the PHP FB SDK to verify a user is authenticated on each page load without an API call? How? Is there a way to do it that is compatible with canvas?
The reason I don't want any API calls is because I hit the limit once and my app went down for an entire night. Don't want that again...
A workaround I'm thinking of is to store the user token (which I want to anyway) and use that in a session/cookie to authenticate the user on every page load in PHP, but I'm not sure if this is the best approach, because: Using my own session/cookie would allow a user to stay logged in even if they are not logged in FB. Also, I presume FB wouldn't allow this for a canvas app.
The workaround you mentioned is the right way of doing it. Saving tokens, using and updating them as they become expired - the way most companies stick to.