Hi there, I am reading facebook api and ran into a little confusion, and hope that you might help. I am using the Javascript SDK specifically, and on getting the request.session back from the login callback, I wonder if the field 'sig' is the same as the 'auth_token'? I know the descriptions of both are different, but I wonder if they are the same in reality. If anyone knows, I will be much appreciated. Thanks in advance.
auth_token
is a token that Facebook generates for desktop applications that you must send back to Facebook again immediately when logging in.
sig
on the other hand is a md5 hash of all session data combined with your application's private key. You can reconstruct the sig from the session data and compare it with the sig passed in, and if it matches the response can be considered authentic.
Consider the following keys stored as a cookie:
a=1
b=2
sig=8a80b0b971da5be75e7197576331b24e
Assume the application's private key is "hello"
. We can try to reconstruct the sig
as:
md5("a=1" + "b=1" + "hello"); // 8a80b0b971da5be75e7197576331b24e
which equals the value of sig in this case. We constructed this by concatenating all key=value pairs in alphabetical order by key ("a" comes before "b"), then concatenate the private key and finally get the md5 of the resulting string.
I wrote a blog post for verifying the cookie set by Facebook in Rails (PHP example is already given on Facebook's website).