How to pass Facebook Id from client to server securely

Question

I have a Facebook canvas app. I am using the JS SDK to authenticate the user on the browser-side and request various information via FB.api (e.g. name, friends, etc.).

Answer 1

It's very simple actually.

When the user loads you app use the server side authentication, get the access token and load the user data by issuing an api request from the server.
On the server side you'll have everything you need and it's sandboxed.

When the page renders for the user, using the js sdk get the user authentication data, you should be able to use FB.getLoginStatus since the user already went through the server side authentication.
Now on the client side you also have an access token which you can use to get the user data from the graph api.

The two tokens will be different, and will also have different expiration, but that should not be a problem, both token should work properly as you'd expect them to.
Since both sides have their own token and a way to make requests to the api, there's no need to send any fb data between them.

So the 3rd option you mentioned, to me, sounds the best, and it's really simple to implement that too.

---

Edit

All facebook SDKs are just wrappers for http request since the entire fb api is made on http requests.
The SDKs just give you easy and shorter access to the data with out the need to build the url yourself (with all the different possible parameters), make the request and parse the response.

To be completely honest, I think that stop providing a way for the C# SDK to support server side authentication is a very bad decision.
What's the point in providing a SDK which does not implement the entire api?

The best answer to your question, from my experience, is to use both server and client side authentication, and since the C# SDK does not support it, my advice to you is to create your own SDK.
It's not complicated at all, I already implemented it for python and java (twice), and since you'll be developing it for your own needs it can be tailored for your exact needs, unlike a public SDK which should support all possible options.

---

2nd Edit

There's no need to create a completely new SDK, you can just "extend" the ones you're using and add the missing parts that you need, like sever side authentication support.

Answer 2

I don't know if it's language specific but using both server-side and client-side authentication does no harm.

You can work on option 2 but yes, that will be also vulnerable to spoofing.

Doing option 3, you will be having a single access token for that user session, so that would be the best choice according to me since you always have chance of spoofing when passing user information from client side.

Answer 3

I had exactly the same question recently. It's option 2. Check this post from the Facebook blog.

To be honest I am not enough of a hacker to know if you could spoof the UID in the cookie, but this seems to be the 'official' way to do it.

EDIT: to the other question under option 2, yes, I believe you have to access this cookie on your domain.

Answer 4

Option 1: The easiest way I can think of is to include the accessToken in JS and pass it with the ajax call.

Option 2: Using the same as option 1, but instead of sending just the accessToken, send the signedRequest.

On the server side you can decode it using (TryParseSignedRequest method) which will give you the UserID :-)

Note: signedRequest is encrypted with the application Secret. you are the only one who should know it, so you are safe on that end.

Disclaimer:

I have no coding experience in C#, but a little search in google gave me this:

Facebook C# SDK for ASP.NET

Making AJAX Requests with the Facebook C# SDK