tags:

views:

96

answers:

2
Q: 

validating fb cookie using md5 hash

Hello,

I am trying to incorporate facebook login in my ASP.NET web app and came across the following article which has a code sample for the same.

http://ntotten.com/2010/04/new-facebook-connect-in-csharp/

The following is from the article.

Next, and most importantly, the class validates the cookie. This validation uses MD5 hashing to compare the contents of key appended to the app secret to the signature that comes in with the cookie. If these values match we know the key is valid.we know the key is valid.

Why is Md5 hashing being used for that? Why not SHA or some other algo?

What happens if I don't validate the cookie? Can invalid cookies be sent to the server?

In the article, he throws a new security exception if cookie is invalid? What should the user do in such a case?

I have never really worked with cookies, so I am trying to get the basics right here.

Thanks.

A: 

Ok, after some more searching and going through the code, I finally got it.

http://developers.facebook.com/docs/authentication/fb_sig

sassyboy  2010-09-04 10:58:14
Be careful about using the fb_sig authentication. That is going away very soon. If you are starting a new app it would be better to use the new OAuth 2.0 authentication system. http://developers.facebook.com/docs/authentication/canvas
Nathan Totten  2010-09-20 13:57:03
A: 

I recommend you just use the SDK I made to do the verification. http://facebooksdk.codeplex.com. That article was basically the first code I wrote when starting that SDK. The sdk will handle pretty much everything you will need to do to develop facebook app on .Net. We use it where I work on some very large facebook apps hosted on windows azure.

The SDK will handle all the hashing/validating for you. All you need to do is this:

var app = new FacebookApp();
var session = app.Session;
if (session != null) { 
  // Session is valid 
} else {
  // Session is not valid
}

The session object is validated before it is returned to you.

Nathan Totten  2010-09-19 21:56:22
Nathan, I have had a look at the SDK you have developed and it is a rework for me if I switch to the SDK now. But good work, will definitely try that in the future.
sassyboy  2010-09-20 05:07:20

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps