When creating a facebook iframe app, facebook passes parameters to the application as GET parameters. Within the query string is a field called fb_sig which as a unique signature that only facebook can create.
The problem I am having is that I can easily copy the query string append it to my application url and access the application from anywhere outside of facebook. The methods that the facebook api provides only check the GET parameters/COOKIE for certain values. Is there any api method that can actually return the log-in state of a facebook user (that does not base it off GET parameters or COOKIE).
In my opinion this is a major security flaw as anyone can track a browsers requests and obtain the query string to access another user's account. Also the fb_sig parameter that is provided by facebook does not expire so it can always be used to pass validation.
I have thought about checking the HTTP_REFERER flag to make sure the request is only coming from facebook but many people can SPOOF the referer and also disable it. Any suggestions or solutions?