views:

18

answers:

1

I have been implementing the 'login through facebook' button on my e-commerce site by using the javascript sdk and the example here: http://developers.facebook.com/docs/authentication/ .

However, i have noticed that the cookie created by the sdk can be transmitted through http (as opposed to https) and I am pretty sure this is not the safest thing to do?

what do you guys recommend me to do to fix this?

A: 

Your website can ensure that it is using https for its pages that transmit the facebook token. Facebook is being flexible by enabling http or https.

If you don't want to (or can't) use https, then the question becomes what are the real risks?

China, Iran and other repressive countries do target social network users such as Facebook. But problems are far fewer in other countries.

Will your customers even notice use of http vs https? Eg the main Facebook site will work with either. They do NOT switch http users to the https protocol. (Unlike most banks.)

Larry K