0

Can anyone tell me what I can extract from the Facebook JS SDK that I can use to send to a web service that I'm using to safely identify a user from?

For example, once I have established the user has auth'd my application, I want to register this user in my server database. Then I want to use their ID to request data about this user, so a GET to my server such as "user//thedata".

Here is what I'm trying to achieve. Once my user is logged in using the Facebook API, I want to able to make web service calls to my hosted web service in the context of that user only. How do I avoid traffic sniffing or simply asking the web service for a different users ID for their data?

Update:

Do I simply use the auth_token that Facebook gives me after logging in, send this to my server, and then have the server query the Facebook Graph API with the token to get the user ID?

Thanks.

Martin Blore
  • 2,125
  • 4
  • 22
  • 34
  • Can't you use the user id from Facebook to identify the user? https://developers.facebook.com/docs/reference/api/user/ – Karan Ashar Jul 25 '13 at 22:31
  • Yes, but once I know your user ID, and I know my web-service URL is "http://someserver.com/user/1234/data", I'll just replace the 1234 with your user ID and get your data instead of mine. That's what I'm trying to avoid. – Martin Blore Jul 25 '13 at 22:32
  • I see. Maybe md5 the user id from facebook + some unique string on your server? – Karan Ashar Jul 25 '13 at 22:34
  • But the user would just see this all happening on your client browser and mimic it. If I asked the server for a unique string, then the hacker would also see that client side. – Martin Blore Jul 25 '13 at 22:35
  • Using SSL should eliminate this concern right? eg: http://stackoverflow.com/questions/9008997/web-authentication-how-to-securely-transfer-username-password-from-the-client – Karan Ashar Jul 25 '13 at 22:44
  • No not really. I mean here is an example. My user is 1234, yours is 7890 - this is public information. We both know the data web-service is at https://www.service.com/user/1234/data. So from my machine, I just hit https://www.service.com/user/7890/data and bam, I have your information. – Martin Blore Jul 25 '13 at 22:53
  • Is it possible to change the web service url? Instead of service.com/user/1234/data, you would make service.com/user/data while passing the unique user id in the header over ssl. Since headers are encrypted over ssl, no one can spoof that and you can use this user id on the server. – Karan Ashar Jul 25 '13 at 23:02
  • But what stops a user looking at the way the request is being built on the client, and just posting a changed user ID again? For example, move it away from the URL, and put it in to a form post with the key "user_id". But I would just construct my own post with your user ID set and I'm back to seeing your data. – Martin Blore Jul 25 '13 at 23:04

0 Answers0