Facebook connect : Javascript AND PHP?

Question

i'm looking around since 1h and i just don't understand this :

If a user want to connect to my website with facebook, shall i use the js in first ( to make people accept my app on their fb account ) and then verify in php that they're logged ?

I'm lost. Trying to explain better :

I have a function to connect a user. If pwd and ID matches --> he's connected. (for basic account).

For facebook the same but i just check if the ID exists. (security 0 ?) i think ..

Because if someone change my js and just put the facebook ID of another person he's gonna be connected with that account.

What can i improve ? Check in php to see if his ID is the good one ?

Thanks

Answer 1

You cand encrypt and decrypt id with a key. For example:

define("ENCRYPTION_KEY", "!@#$%^&*"); // key preferential
function encrypt($pure_string, $encryption_key) {
    $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    $encrypted_string = mcrypt_encrypt(MCRYPT_BLOWFISH, $encryption_key, utf8_encode($pure_string), MCRYPT_MODE_ECB, $iv);
    return $encrypted_string;
}

/**
 * Returns decrypted original string
 */
function decrypt($encrypted_string, $encryption_key) {
    $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    $decrypted_string = mcrypt_decrypt(MCRYPT_BLOWFISH, $encryption_key, $encrypted_string, MCRYPT_MODE_ECB, $iv);
    return $decrypted_string;
}

When you user is login you encript the

encrypt($fbid, $encryption_key);

and when you verify if user is login and which user is you decript the cookie or session depend which one you use:

decrypt($idfromloginuser, $encryption_key);