Reputation: 15802
Facebook Access Token questions
I'm playing around with Facebook Connect, trying to use Facebook as the means or authentication on my site. Currently my workflow looks something like this:
- Go to URL
- Server checks cookies for AccessToken
- If AccessToken exists, automatically fill in user's name/profile picture in comment box, and leave AccessToken in hidden input
- send page down to client
- on submit, verify access token (which was submitted with the rest of the form) is a valid access token for a real person. If so, add comment to Database
- refresh page to display new data
- if no access token, replace user's name/profile picture with
<fb:login-button>, along with the required<script>s.- send page down to client
- When user authorizes page/logs into facebook, refresh page
- (go back to top, except this time the access token should exist)
So I have a few questions:
Is this secure? I was thinking of ways i would be able to do without the double authentication with Facebook (checking once on page-generation and checking again on comment-submission), and I could not figure any other way short of maintaining my own session-state with each client. Is that worth doing?
Does the access token expire when i log out of Facebook? I'm thinking it should, but it seems I can continue to use the same access token to grab data (i.e. name, url, etc.) after I manually go to Facebook and log myself out. Is it because I'm only asking for public information, and only more intrusive permissions expire on logout?
Given that each person who wants to do something has to provide a unique token from Facebook, this should have the side effect of blocking CSRF, since every action can be traced to a valid Facebook account. Is that right?
Upvotes: 0
Views: 1946
Answers (2)
Reputation: 43816
Why don't you just use the Facebook Javascript SDK to detect if they're currently logged into Facebook? This will also make the access token available in Javascript so you can make client-side calls to the API. You can access the same access token server side via the session cookie set by Facebook also.
Upvotes: 2
Reputation: 4348
I can't answer all of your questions but I can tell you that having the access token in a hidden field on your page is risky from a policy perspective, especially if your page can be read by any third-party code such as Google Analytics or AdSense. Facebook will nail you for this as it is leaking user identifying data to third parties. The Facebook userid is in the access token in plain text. Facebook has automated processes that scan for this stuff and will auto-ban your app if it is leaking userids to third parties.
Upvotes: 2
Related Questions
- Facebook Token Renewal
- How does facebook token works?
- Generating and understanding facebook application access token
- Facebook Php Api basics
- facebook graph and access token
- Php Facebook API Page access tokens
- Access token Facebook graph api?
- Facebook FB api - About Access token
- Facebook Authorization url, scoped authorization url and token url
- What is access token in facebook API?