Cross-referencing Facebook User IDs

Question

I seem to recall that after the publicized privacy concern with Facebook Apps and leaked User IDs that Facebook announced it was considering a change. This change, if I recall, would be that Apps would receive rewritten User IDs instead of actual User IDs. Did anything come of this? Links to official statements and/or developer documentation clarifying this would be appreciated.

In short, I would like to build out two separate applications that are closely related to one another, and I want to be able to cross-reference User IDs between these two applications (if possible). Is there a best practice for doing this?

Jeff Sherlock · Accepted Answer

Take a look at this blog post that should provide some guidance. https://developers.facebook.com/blog/post/431/

Currently, we pass iframe applications the fb_sig_user query string parameter in the URL. This allows the application to identify the user and create customized, social experience. Due to the way browsers work, this information in the URL can be inadvertently passed in the HTTP Referrer header when someone clicks a link within the iframe.

Our initial proposal to address this issue used encryption as a means to protect against this inadvertent sharing, but still passed this encrypted UID in the URL. After talking with the community, we have updated our proposed solution to use a different mechanism that provides better protection for users while minimizing the impact on existing applications and eliminates the need to use encryption libraries.

In short, this new proposal embeds the UID in a HTTP POST body ensuring that it will not be exposed in any HTTP Referrer header whatsoever (encrypted or otherwise). We do this by creating a
element targeted at the application Canvas URL:
 
     
 
 
 

Cross-referencing Facebook User IDs

Answers (1)

Related Questions