I have followed the instructions in this great Stackoverflow question but i am not sure about this verify signature thing. Is this provided in some way in the Facebook Toolkit or do i have to do something myself? The documentation is not superclear on how to do this and if it is already baked in the facebook toolkit i don't want to spend to much time on it.
Anyone have done this? Should mention i use a standard ASP.NET Web Application in C#. Any help would be appreciated!
At the moment, you have to do it yourself. I've provided a simple method you can call to see if the signature is valid or not.
private bool IsValidFacebookSignature()
{
//keys must remain in alphabetical order
string[] keyArray = { "expires", "session_key", "ss", "user" };
string signature = "";
foreach (string key in keyArray)
signature += string.Format("{0}={1}", key, GetFacebookCookie(key));
signature += SecretKey; //your secret key issued by FB
MD5 md5 = MD5.Create();
byte[] hash = md5.ComputeHash(Encoding.UTF8.GetBytes(signature.Trim()));
StringBuilder sb = new StringBuilder();
foreach (byte hashByte in hash)
sb.Append(hashByte.ToString("x2", CultureInfo.InvariantCulture));
return (GetFacebookCookie("") == sb.ToString());
}
private string GetFacebookCookie(string cookieName)
{
//APIKey issued by FB
string fullCookie = string.IsNullOrEmpty(cookieName) ? ApiKey : ApiKey + "_" + cookieName;
return Request.Cookies[fullCookie].Value;
}
Note: SecretKey and ApiKey are values provided by Facebook that you need to set.
You can do this using FBConnectAuth, it does the same as above, and a little more.