I'm developing an IFrame-based Canvas app. I'm hoping to use Adobe's AS3 API to do the lion's share of work with retrieving and displaying the user's Facebook information (my current goal is to display a list of friends).
The AS3 API expects that three values be passed down to the Flash movie from the IFrame page: fb_sig_api_key fb_sig_session_key fb_sig_ss
It's the last of these that is proving to be a problem. I've narrowed my problem down to this behavior:
When I access my page at http://apps.facebook.com/MYTESTAPP/ ...then the page within the IFrame is sent a number of GET parameters (e.g. fb_sig_app_id,fb_sig_user, and fb_sig_added=1 ... yes this user has authorized the app). But it is NOT sent fb_sig_ss. (It's also not sent fb_sig_cookie_sig.)
However when I access my page at http://apps.facebook.com/MYTESTAPP/foo
...Then suddenly my IFrame is sent three additional parameters: fb_sig_ss fb_sig_cookie_sig foo
Soooo I have no idea what's going on here. If I can't reliably get the fb_sig_ss variable, I'm going to have to do a runaround on the AS3 code and create a WebSession with the hard-coded application secret, but I'm told that this is not a best practice and this is why the fb_sig_ss (session secret) was used...
Can I get the fb_sig_ss without these meaningless URL characters? If not, is there a way to get the AS3 API to work without needing this session value?