Facebook Iframe Authentication Across Pages / Ajax Requests
$facebook->require_login() has some gotcha behaviors in iframes that are worth mentioning. Hopefully I will save you some time. Over the course of ripping my hair out, I observed one or more of the following on pages with $facebook->require_login() :
- Facebook generating a new “auth_token” in the url query string each time I requested a page
- Pages, other than the canvas page, “breaking out” of the Facebook frame
- Ajax requests that were returing nothing due to a page redirect
All of the above are due to Facebook not being able to maintain authentication across page requests if the page is simply linked to from inside the iframe. Facebook essentially has to re-direct back after generating new authentication credentials. If you open up your iframe on the canvas page in a new window, you will see the following Get variables in the URL (an example from my page):
fb_sig_in_iframe: 1
fb_sig_locale: en_US
fb_sig_in_new_facebook: 1
fb_sig_time: 1244518218.1479
fb_sig_added: 1
fb_sig_profile_update_time: 1241618728
fb_sig_expires: 1244606400
fb_sig_user: 780432493
fb_sig_session_key: 2.hvRa_GKzi347TYchGAyWXA__.86400.1244606400-780432493
fb_sig_ss: QGgImUePCmQg5dBx_Mm07A__
fb_sig_ext_perms: auto_publish_recent_activity
fb_sig_api_key: 9c74c62f8c7ed2d5fef13719d0256dcb
fb_sig_app_id: 125523728288
fb_sig: 6350aff72d9b7bd40672a8552047b746
These variables in the URL are critical to maintaining authentication across iframe pages. If you reform this query string and append it to your URLs or Ajax requests, then they will be authenticated and all the above errors will go away. Here is som PHP code to do that:
<?
//build the authentication query string
foreach($_GET as $key => $value) {
if (strpos($key,"fb_sig")!==false) {
if ($i!=0) $fbvars.= "&";
$fbvars.= "$key=$value";
$i++;
}
}
//then to link, just use $fbvars to add on to the query string of any link
?>
One day I will write something here...I promise. Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an...
Joe Seemiller | June 23rd, 2009 at 8:59 am #
Exactly what I needed! Thanks for posting this — you did save me some time.
Dane Iracleous | June 23rd, 2009 at 5:12 pm #
You saved me so much time. Thank you!!!
Harley Fritz | June 27th, 2009 at 2:54 pm #
Here it is with some missing vars declared.
$fbvars = ”;
$i = 0;
foreach($_REQUEST as $key => $value) {
if (strpos($key,”fb_sig”)!==false) {
if ($i!=0) $fbvars.= “&”;
$fbvars .= “$key=$value”;
$i++;
}
}
Alessandro | September 19th, 2009 at 10:21 am #
Thank you!!!
Justin | October 5th, 2009 at 8:39 am #
Thanks for this, post i have the exact same problem. Where exactly do I append these authentication variables? This is what i’m doing, this is the only place i can think of appending the query string:
$redirectUrl = $this->facebook->get_add_url() + $fbvars;
echo “$redirectUrl”;
$this->facebook->redirect($redirectUrl);
return;
Jon | October 11th, 2009 at 2:30 pm #
They would be added to any link on your page. For example http://www.domain.com/nextpage.htm?< ?=$fbvars?>
z2008cn | October 11th, 2009 at 9:50 pm #
Cool! That’s what I need indeed! thank you very much!
David Lee | October 28th, 2009 at 2:09 pm #
I’m concerned about doing this as it will put all the variables in the URL. Some app users like to post urls to share with friends. What are your thoughts about using POST or SESSION to pass the variables?
Jon | October 28th, 2009 at 5:54 pm #
Facebook already passes these variables in the URL as GET variables when you pull up the canvas page anyway (right click to open up the iframe in it’s own window and you will see them there). These variables are all public (your private key is still your own). If somebody bookmarks or shares a link with some old session info, worst case scenario is that they just have to log in to your app again.
helloworlder | November 9th, 2009 at 8:04 am #
Thanks! You’re the man!
Wilson V | November 24th, 2009 at 10:27 pm #
Nice..i was looking for this for a long time. thanks. Godbless
kumar | November 26th, 2009 at 4:05 am #
I have the same problem. Where i need to put the bellow code.
$value) {
05. if (strpos($key,”fb_sig”)!==false) {
06. if ($i!=0) $fbvars.= “&”;
07. $fbvars.= “$key=$value”;
08. $i++;
09. }
10.}
11.
12.//then to link, just use $fbvars to add on to the query string of any link
13.
14.?>
ugur3d | January 30th, 2010 at 10:24 pm #
Does this mean, that i have to filter this data before sending them via ajax (url) to the php page. So the php-page does not need to ask for session_key again?
Andersen | March 16th, 2010 at 10:23 am #
Works, but there is an important safety issue while using these fbvars.
I have experienced that it is possible to open the iframe app outside the facebook frame, as long as the vars are attached to the URL. However, this presents an important issue.
If a user uses your app, and the logs out of facebook. It is actually still possible to go the app of the user by typing the entire adress (outside fb), or just look at “visited pages”.
In it self it is not so bad, but the problem is if someone uses the app on a public computer.
The next user of the computer is then actually able the see the previous users profile by going to “visited pages”.
I dont know how to solve this issue, but i was hoping some of you gurus here have an idea. Either way, i just though i would inform about this issue.
PS: This is with the require_login() enabled.
bob | March 18th, 2010 at 1:14 pm #
Andersen the point is this info is already public and if someone leaves their facebook account open on a public computer then that is the problem. Its up to the user to log-out on a public computer.
Stas | March 21st, 2010 at 12:25 pm #
What I do not understand is why the FB doesn’t not use cookies for storing this info. It will solve all problems.
Andersen | March 23rd, 2010 at 7:53 pm #
bob: Yes i am aware of that, but the thing is, even if the user logs out of facebook, he can still enter personal info via the link. Facebook does not require the login when fbvars is appended to the url, for some reason.