tags:

views:

415

answers:

2
Q: 

Generate the facebook signature using my applications secret key?

When you build a website with "facebook connect" and you log into facebook with your username and password, facebook then sets a session on your website.

In that session is a generated "signature"

This signature is created by combining the data of your "application secret" that only you and Facebook know, and the result MD5 hashed.

I need the algorithm used to generate that signature so that I can recreate it and make sure it matches the one signature created by facebook.

if($_SESSION['facebookSignature'] == reGeneratedSignature){
   // save to database
}else{
  // go away I don't trust you
}

This way I can validate the user and I don't need to make unnecessary calls to Facebook and alow the user to continue to use the website.

A: 

The Verifying The Signature link is the way to go, so that should be working for you.

Have a look at the source code for FBConnectAuth, it does what you want, and is generic so that it will adapt to any new FB Connect cookies that may appear - so hopefully that will adapt to the new JS library.

Hope that helps,

Adam

Adam C  2009-12-17 17:45:22
Actually I got all the info I needed here:http://wiki.github.com/facebook/connect-js/faqThanks Adam
Derrick  2009-12-18 18:37:33
Great, I think I'm going to amend FBConnectAuth so that it will work with the new cookie format... Adam
Adam C  2009-12-19 00:23:05
A: 

Reconstructing the signature created by Facebook is rather simple. You just need to append all key=value pairs, then append your private key, and finally compute the MD5 hash of the resulting string.

More details on how the signature is constructed can be found on this answer.

Facebook has provided a PHP example of how to do reconstruct the sig here in the Single Sign-On section.

I have written a blog post doing exactly the same, but in Ruby instead.

Anurag  2010-08-01 03:44:49

related questions

What is typically the length of your optimal coding session?
What's the most current, good practice, and easiest way to use sessions in PHP?
What can cause an ASP.NET worker process to be recycled?
How do I explicitly set asp.net sessions to ONLY expire on closing the browser or explicit logou?
session variable mixup in ASP.NET?
In Classic asp, can I store a database connection in the Session object?
What are the advantages and disadvantages of the Session Façade Core J2EE Pattern?
Different values of GetHashCode for inproc and stateserver session variables
Best way for allowing subdomain session cookies using Tomcat
Is there a way to specify a different session store with Tomcat?
PHP: $_SESSION - What are the pros and cons of storing temporarily used data in the $_SESSION variable
What is the best way to handle sessions for a PHP site on multiple hosts?
How much data can/should you store in a users session object?
ASP.Net Session_Start event not firing
Logging image downloads
ASP.Net: If I have the Session ID, Can I get the Session object?
Secure session cookies in ASP.NET over HTTPS
Django Sessions
Can I put an ASP.Net session ID in a hidden form field?
Always including the user in the django template context
Rails - recovering database from Production.log
Most efficient way to get data from the database to session
What is the best way to prevent session hijacking?
FOSS ASP.Net Session Replication Solution?
How do I best detect an ASP.NET expired session?