0

I'm developing a Facebook app that will run in canvas. This is the scenario (I think it's very common). This is all server-side implementation.

Being:

APP_URL: https://apps.facebook.com/xxxxxx/
CANVAS_URL: https://myexample.com/facebookApp/

  1. Step 1 (index of the app) has a form. It has action="CANVAS_URL/step2" (note that is not the app Url). In order to use signed_request in the next step, it has an hidden field <input type="hidden" name="signed_request" value="<?php echo $_POST['signed_request'] ?>" />

  2. Step 2: it receives the info of the form and stores it in a Session, then parses the signed_request. This works OK. I store it in the Session because I want to save it to a database after the user is authenticated. If user was logged on to the app, I redirect him to APP_URL/step3; if not, I redirect him to login dialog, with &redirect_uri=APP_URL/step3 . In both cases, note that the step 3 is APP_URL/step3 (as I need signed_request again to check if user has authenticated and another data). All redirections are made with JavaScript: <script type="text/javascript">window.top.location = "URL";</script>

  3. Step 3: now I want to save the data previously stored in the Session. BUT as the user is navigating through FB canvas, the session data is not available.

I tried several combinations. If the form is sent to APP_URL/step2 (instead of CANVAS_URL/step2, in order to create the session for APP_URL), I can't retrieve the posted data (because it is sent to FB, not to the CANVAS_URL).

I thought about using the session_id to recreate the Session in APP_URL, but I'm afraid that it isn't a very secure approach. I'm sure that there must be a better workaround.

Michael Petrotta
  • 59,888
  • 27
  • 145
  • 179
Marcelo Pascual
  • 810
  • 8
  • 20
  • Why not authenticate the user _before_ they fill out the form? Or deviate from the server-side-only approach, and use the JS SDK to log the user in to your app – that way, you can keep the filled-out form and submit it afterwards. – CBroe Oct 24 '12 at 22:38
  • @CBroe: I started with server-side approach as it seemed simpler. Instead of mixing server-side (storing to Session, DB) and client-side (FB login, permissions, post to strem), I thought that it would be more clever to use only one "side". I think that what I'm suggesting is simple and fast, there must be one workaround. – Marcelo Pascual Oct 24 '12 at 23:02
  • Well, saving the session id into a cookie would be one “workaround” … with the obvious third-party-cookie-problems across different browsers and configurations as a drawback. But is passing the session id as URL parameter really that unsecure in this scenario …? – CBroe Oct 24 '12 at 23:09
  • @CBroe Well, not really, but I want to do it clear and transparent for the user. Adding the session id to the url (it works) is not the best practice, I suppose... – Marcelo Pascual Oct 24 '12 at 23:19

0 Answers0