PHP Facebook session management

Question

I am developing a facebook app using PHP. I am able to login using the below code

 <?php

$app_id = "XXXXXXXXXXXXXXXXX";
$canvas_page = "http://apps.facebook.com/sandysfirst/";
$auth_url = "http://www.facebook.com/dialog/oauth?client_id="
       . $app_id . "&redirect_uri=" .urlencode($canvas_page)."&scope="."publish_stream,read_stream,offline_access";
$signed_request = $_REQUEST["signed_request"];
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);
if (empty($data["user_id"])) {
       echo("<script> top.location.href='" . $auth_url . "'</script>");
} else {

}?>

<?php
  include_once "src/facebook.php";
  $app_id = 'XXXXXXXXXXXXXXXXXXX';
  $application_secret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
  $facebook = new Facebook(array(
 'appId'  => $app_id,
 'fileUpload' =>true,
 'secret' => $application_secret,
 'cookie' => true, // enable optional cookie support
));
       if ($facebook->getSession()) {
       $user = $facebook->getUser();
       $uid = $facebook->getUser();
              $fbme  =   $facebook->api('/me');
              echo "<br/><br/><br/><br/> Welcome ".$fbme['name'];
         }
       echo "<html>

and the HTML follows below that with a form action. I want to know how I can get the same user id or session on the second page once the form is submitted. I am not using facebook.php of sdk 3.0.

Answer 1

I don't know the facebook api, but from some basic php there's a few methods you could use:

1 - Add the uid as a hidden field in the form.

<input type="hidden" name="uid" value="$uid">

2 - Add it to the action url

<form action="submit.php?uid=$uid">

However the better way is to use the facebook api, pretty much the same way you've got it listed there already (from the include_once "src/facebook.php";), to retrieve the uid each time, otherwise you leave it open to security hacks (easy to pass a fake uid in a form).