views:

32

answers:

0

I'm failing to understand how it isn't a massive security hole that once someone logs into your website with their Facebook credentials, it cookie's you in clear text with an access token.

It seems to me that the cookie that traverses the internet in clear text can be picked up and used by someone to make any calls on the graph API. I have to be missing something because I really don't see why they ask you to make calls to graph.facebook.com via https except the cookie you get given is sent completely clear and can be used as is.

I initially looked through the php api to see if somewhere some magical signing was going on but it appears to me that you can read anything that the token was issued for. I've not tried writing back to the graph API with it, but this token lives for a long time is offline_access is requested, and I certainly wouldnt want someone getting hold of mine.

Can someone shed some light?