Facebook Login as supplement to existing login?

Question

I am developing a PHP/MySQL e-commerce site with some social aspects, and am looking to integrate it with Facebook. I already have a native user registration/session handling system. I have managed to include the iframe "Social Plugins" such as a "Like" button. But I really would like to offer users the option of registering with the site via Facebook over the native registration process.

I understand the idea of getting an access token via the OAuth protocol, and eventually getting a user ID. My concerns are two-fold:

1. Is this method secure? This is an e-commerce site, but I am not storing any credit cards or any other sensitive data. I can't think of how this could be exploited, but I am only one head!

2. I understand how to retrieve the initial token and get the user ID during the registration process. But how do I recognize a return (session) user? Do I have to implement the Javascript SDK for that (something I want to avoid)? Or, do I handle the sessions just like they already are handled natively, but replace a normal user ID in the session cookie with a Facebook user ID when appropriate?

I apologize if the answers are obvious. I have scoured Google and the Facebook documentation, but half the links I find are to deprecated FBConnect wiki articles, and the new docs are helpful, but sparse on the examples. I have no idea what is still supported, what is new, and how to do this!

Answer 1

1. Yes Oauth is very secure. Many many applications rely on it and there are no known ways to exploit it.

2. One way you could do this is store the Facebook id's of users so when they come back you can see that their id already exists in your records and know it is a returning user. Their session may be different (expired since last visit for example) so you don't want to store their access token; but their Facebook user id is always be the same.

How I basically integrated Facebook registration/login on my site is I added a facebook_id column in my users table and a "Register with Facebook" button. If the user clicks, authenticates with Facebook and I get back a session and the user is new, I redirect to the registration page, prefill as many fields as I can with data from Facebook (like their name), and add the Facebook id as a hidden input field. Therefore when they register, their facebook_id will be filled in the database. This is the same registration page as the standard one, so the only difference with a non-Facebook user is that the facebook_id field will be empty. If you want, you can also not require a password for Facebook users.

For the user to log in, the user would just click a "Login with Facebook" button and authenticate with Facebook. Once Facebook gives me the session, I log the user in as whatever user has the facebook_id as the one in Facebook's session. Since you are worried about security, I'll note that this session cannot be forged as it is signed with the application secret key that only you and Facebook know. If you use Facebook's SDK (which you should) you do not have to worry about the signing and signature verification. The fact that you can read coherent information from the session means that Facebook's SDK has verified it.

This Facebook page is a great guide on integrating registration with Facebook.