I am developing a PHP/MySQL e-commerce site with some social aspects, and am looking to integrate it with Facebook. I already have a native user registration/session handling system. I have managed to include the iframe "Social Plugins" such as a "Like" button. But I really would like to offer users the option of registering with the site via Facebook over the native registration process.
I understand the idea of getting an access token via the OAuth protocol, and eventually getting a user ID. My concerns are two-fold:
Is this method secure? This is an e-commerce site, but I am not storing any credit cards or any other sensitive data. I can't think of how this could be exploited, but I am only one head!
I understand how to retrieve the initial token and get the user ID during the registration process. But how do I recognize a return (session) user? Do I have to implement the Javascript SDK for that (something I want to avoid)? Or, do I handle the sessions just like they already are handled natively, but replace a normal user ID in the session cookie with a Facebook user ID when appropriate?
I apologize if the answers are obvious. I have scoured Google and the Facebook documentation, but half the links I find are to deprecated FBConnect wiki articles, and the new docs are helpful, but sparse on the examples. I have no idea what is still supported, what is new, and how to do this!