Hello, please sign in or register
You are here: Home

FBConnect - Facebook authentication made simple

Openid and OAuth are the future of user verification, however Facebook one of the largest networks used by millions still isn't an Openid server. 

Oh well. Here's an alternative... Which doesn't use the FBML markup.

Demo 
   http://sandbox.knarly.com/facebook/connect.php

Code
<?php
/**
 * This little script helps us to authenticate a user using their facebook account. 
 * As perhaps one might use Openid or Oauth account
 * First define the Secret and API_key at (http://developers.facebook.com/setup.php)
 * This example does not use the FBML (which i despise more than microsoft passport)
 */

$secret = '';
$api_key = '';

if(isset($_GET['session'])){
	$json = (array)json_decode($_GET['session']);
	
	$a = array(
		'expires' => $json['expires'],
		'session_key' => $json['session_key'],
		'ss'	=> $json['secret'],
		'user'	=> $json['uid']
	);
	$s='';
	foreach($a as $k=>$o)
		$s .= $k.'='.$o;

	// Verify the response
	if( md5($s.$secret) === $json['sig'] && $json['expires'] >= time() ){
		print "Yes success";
	}
	else {
		print "Failed";
	}
}
?>
<html>
<head>
<title>Facebook authentication</title>
</head>

<body>
<pre><?= print_r($_GET) ?></pre>
<form>
  <input type="button" value="Connect with Facebook" 
    onclick="window.open('http://www.facebook.com/login.php?api_key=<?=$api_key?>&display=popup&extern=1&fbconnect=1&req_perms=publish_stream&return_session=1&v=1.0&next='+encodeURIComponent(window.location.href+'?ref=success')+'&fb_connect=1&cancel_url='+encodeURIComponent(window.location.href+'?ref=cancel')+'', 
    '_blank', 'top=442,width=480,height=460,resizable=yes', true)"  />
</form>
</body>
</html>
 

Further security

If you think the the Secret and API Key are known by a malicious third party you can validate the response further by making an internal server to server connection with facebook.

Following on from the success of the initial checks include the following.
	include "./facebook-platform/php/facebook.php"; // see http://wiki.developers.facebook.com/index.php/PHP
	$facebook = new Facebook($api_key, $secret);
	$facebook->set_user($a['user'], $a['session_key']);
	$res=$facebook->api_client->fql_query("SELECT recipient_id FROM notification WHERE recipient_id=".$a['user']);
	print_r($res);

On fail this will trigger an exception so wrap in a conditional statement.

Resources

http://wiki.developers.facebook.com/index.php/Verifying_The_Signature

Comments

0921maoqiuyun
cheap nba jerseys, http://www.nbajerseys.net/ jordan shoes, http:/...
Created 21/09/15
1015maoqiuyun
coach outlet online, http://www.coachoutletonline-store.us.com/
Created 15/10/15
cmoutlet
s michael kors ralph lauren outlet burberry outlet,burberry,burberry outlet online,b...
Created 21/10/15
eeededed
ded
Created 06/01/16
oakleysunglasses
“I canada goose outlet think it doesn’t swarovski jewelry bode very
Created 21/01/16
linpingping
The michael--kors.org.uk next ralph lauren outlet day patriots jersey Mrs
Created 01/03/16
clibin
Tyrion 5c cases watched her ray ban sunglasses read. His timber...
Created 18/04/16
chenyan
Bond grinned. pandora-bracciali.it "We bcbgmax.in.net only chaussure...
Created 15/06/16
chenyan
Bond grinned. pandora-bracciali.it "We bcbgmax.in.net only chaussure...
Created 15/06/16
chenyan
Bond grinned. pandora-bracciali.it "We bcbgmax.in.net only chaussure...
Created 15/06/16
michael kors factory outlet
adidas nmd pandora bracelet
Created 16/05/17
Title*
Comment

Prove you are not a robot

To prove you are not a robot, please type in the six character code you see in the picture below
Security confirmation codeI can't see this!
Contact
Name*
Email never shown*
Home Page

Author

Andrew Dodson
Since:Feb 2007

Comment | flag

Categories

Bookmark and Share