1

I am making a web application where I get a user's information from his/her facebook api after he/she logs in with facebook to use my web application.

I have PHP code that succeeds in getting an offline_access access_token from a user when he/she logs into my application.

However, I am not sure what to do with that token. Do I insert it into the database when I insert other information about the new user into my database, so I can have access to it when the user is offline? If so, should I be treating it with the same security as a password?

Any help/suggestions greatly appreciated.

Marina
  • 3,222
  • 5
  • 25
  • 35

3 Answers3

1

Yes, you store the token in your database. No, the security on this is not very good. You can't treat it like a password, you would salt & hash a password but you need to keep the original access token value. This is fundamental to OAuth, you're trusting the app provider (you) with the "keys to the kingdom".

Spike Gronim
  • 6,154
  • 22
  • 21
1

Depending on Facebook SDK you should store user session (sdk2.x) or only access token (sdk3.x). The Best place to store is database. I usually save tokens on user creation and refresh saved token on user login (cause tokens still have expiration time).

Then, when you need to use the token (or session), you should use either

setAccessToken($stored_token)

or

setSession($stored_session)

Hope this helped.

Rinat
  • 56
  • 1
  • 6
0

That is only when you need to post on their wall without the user posting it themselves. It's up to you if you need that feature.

Nav
  • 53
  • 2
  • 9