How to pass Facebook Id from client to server securely

Question

I have a Facebook canvas app. I am using the JS SDK to authenticate the user on the browser-side and request various information via FB.api (e.g. name, friends, etc.).

Answer 1

I had exactly the same question recently. It's option 2. Check this post from the Facebook blog.

To be honest I am not enough of a hacker to know if you could spoof the UID in the cookie, but this seems to be the 'official' way to do it.

EDIT: to the other question under option 2, yes, I believe you have to access this cookie on your domain.