views:

384

answers:

1

When creating a facebook iframe app, facebook passes parameters to the application as GET parameters. Within the query string is a field called fb_sig which as a unique signature that only facebook can create.

The problem I am having is that I can easily copy the query string append it to my application url and access the application from anywhere outside of facebook. The methods that the facebook api provides only check the GET parameters/COOKIE for certain values. Is there any api method that can actually return the log-in state of a facebook user (that does not base it off GET parameters or COOKIE).

In my opinion this is a major security flaw as anyone can track a browsers requests and obtain the query string to access another user's account. Also the fb_sig parameter that is provided by facebook does not expire so it can always be used to pass validation.

I have thought about checking the HTTP_REFERER flag to make sure the request is only coming from facebook but many people can SPOOF the referer and also disable it. Any suggestions or solutions?

A: 

getLoggedInUser() will return the uid of the user associated with a session. If the session isn't current, you won't get a valid id back.

Unfortunately, the flaw you describe with session passing isn't limited to Facebook, it's the nature of the WWW. Any site that bases their authentication on sessions is subject to the same flaw that you describe, whether the session token is being passed via URLs or cookies. If you manage to retrieve the session id somehow (sniffing) while it is still current, you are free to access whatever site it might be using that session id, unless there is some other form of security in place.

The only real form of HTTP security is SSL-encrypted communication.

zombat
I think the problem is that users are granting my application offline_access so their session keys are infinite so even if I do use getLoggedInUser() even if the user is logged out it will still return the uid.