My website can post to Facebook Feed of a user although he is logged out from FB

My website can post to Facebook Feed of a user although he is logged out
from FB

On my page, users can upload pictures and post them to their facebook wall
- but usually they should only be able to post on their wall if they are
logged in into their facebook account. I check the user status with this
piece of code:
// check if user is connected to facebook
$facebook = new Facebook(array(
'appId' =>
Yii::app()->params['fbAppId'],
'secret' =>
Yii::app()->params['fbSecret'],
));
$user = $facebook->getUser();
if ($user = $facebook->getUser()) {
try {
$user_profile = $facebook->api('/me');
echo "you are logged in";
} catch (FacebookApiException $e) {
$user = NULL;
echo "you are logged out";
}
}
(And even that code, which is recommended to check if a user has not only
a session but a valid fb login, returns true although I am no longer
logged in at Fb.)
Now, if I log in to my own page via Facebook Connect, and then log out
from FB - I am still logged in on my own webpage. Thats okay for the
moment. But what shouldn't work is this piece of code:
$facebook->api('/me/feed', 'POST', $attachment);
which means that the website will post the picture the user uploaded
directly to a user's feed. And this seems to work although the user is
logged out from facebook...
Btw, I request no offline permissons.
Best wishes, Sebastian