The way an app should work (and bear in mind this could be different for hosted games):
Tracking of an individual user should all be handled as per normal with your server, using cookies. You should be able to find a user account plugin for whatever framework you're working with to manage this for you. Ideally find one that integrates with facebook to make your life easier. The client shouldn't communicate with Facebook directly, except to get publicly available data, such as a small profile pic of any user. Background: * You as a developer create an App on Facebook, specifying the permission the app should have, eg. see friend lists, create events, read messages, post on wall etc. (for some reason you also specify this when you connect to the facebook servers, not sure why...). Facebook then issues you with an API key/secret for your app. You can recreate this if it becomes compromised in some way. * Your server holds the facebook API key. 1. Client talks to your server and asks to login/authenticate. 2. Your server redirects client to Facebook, with a login request for your app and a list of permissions (again, not sure why this needs to be repeated, possibly because you're allowed to request a subset of permissions). 3. Facebook presents the app name and a list of desired permissions and asks the user to agree. The screen used to do this changes all the time, which is quite annoying, they don't seem to have worked out an ideal presentation for it yet. 4. If the user accepts, your app gets notified (probably by the user, although it might be by facebook) and the user is redirected to your site. At any rate. you now have a user token that can be used to connect to facebook to enquire about the user. 5. At any point in time, using a combination of your API key and the user token your server can access the permissions the user granted you, by contacting facebook directly. If you release the API key, at the very least, someone can masquerade as your app. They may be able to access data for users they don't have a token for, not sure about that. And one more fun thing we found out the other day - if a user changes their password, the token will change, and your app needs to have some mechanism for updating it, or the user will likely hit a 500 error. On 1 June 2012 04:13, Hans Wichman <hans.wich...@gmail.com> wrote: > Hi Henrik, > > not to hijack Paul's thread, but do you have some more info on this > subject. Eg the client would need some way to uniquely id itself to the > server, lest the server give out this data to anyone which is kind of the > same as making your api key public?. The client could be decompiled etc > etc, referrers can be faked.. is there some kind of standard setup that you > know of that prevents this? > My guess it would benefit Paul as well as the rest of us (me;)). > > regards, > Hans > > On 31-5-2012 18:00, Henrik Andersson wrote: > >> The idea is obviously to let your server be the one who asks the >> Facebook servers for the data, meaning that the only possible attack >> points are the server itself and the connection. If your server is >> compromised then you have fail security. If the connection is >> compromised then SSL failed. SSL is much less likely to fail. >> >> Point is, the client never sees the key. >> >> Hans Wichman skriver: >> >>> Hi Ben, >>> >>> if you put the keys on your server, can't they be sniffed anyway or am i >>> missing something? >>> tnx >>> H >>> >>> >> ______________________________**_________________ >> Flashcoders mailing list >> Flashcoders@chattyfig.figleaf.**com <Flashcoders@chattyfig.figleaf.com> >> http://chattyfig.figleaf.com/**mailman/listinfo/flashcoders<http://chattyfig.figleaf.com/mailman/listinfo/flashcoders> >> > > ______________________________**_________________ > Flashcoders mailing list > Flashcoders@chattyfig.figleaf.**com <Flashcoders@chattyfig.figleaf.com> > http://chattyfig.figleaf.com/**mailman/listinfo/flashcoders<http://chattyfig.figleaf.com/mailman/listinfo/flashcoders> > _______________________________________________ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders