I am looking for a way to verify a users facebook id when posting user specific data using ajax.
I want to be able to verify that a facebook user id is correct when posting data using ajax.
The problem being, that if I post the facebook id as part of my ajax data, it can be edited in the javascript. I could make a graph call on the server side, but these are really slow, so I want to keep graph calls to a minimum. Preferably only calling it at the beginning.
Can any suggest an efficient/secure method?
In the end my solution was to grab the users facebook id via the php sdk and creating a hash of it by adding a salt and encoding it with md5. When posting the form I include both the facebook id and the hash. I can then use the same salt value to double check that the facebook idea is correct before using it. This seems to provide enough security for my needs.
I know you want to avoid doing graph calls, but you can make a call client side as well and call the Facebook API:
FB.api('/me', function(response) {
// Check that response.id matches the submitting user id
});
This will allow you to check against the logged in user's Facebook id. There's no way you can really modify anything in the javascript to 'fake' being a different logged in Facebook user.
Otherwise, I'm not sure how else you can verify the id unless you have a whole login system yourself, where by you can match session data to saved user data on the database on the server side.
来源:https://stackoverflow.com/questions/16845950/how-to-verify-a-users-facebook-id-when-making-ajax-posts-to-php-in-facebook-app