Facebook Javascript SDK security -
i'm in process of using facebook javascript sdk provide user login functionality website.
what i'd take logged in user's unique facebook id , put/fetch data to/from mysql database using id determine data available said user.
however don't feel secure. whilst i'm not storing sensitive credit-card details etc, i'd prefer secure practically possible.
my fear javascript being it, fake facebook id , pull whatever wanted.
i'm aware php sdk provide solid solution problem, javascript 1 because it's easy use , have basis of set (i admit it, i'm lazy).
so, questions are:
would set insecure feel might be?
is there can improve security of such system, other switching php sdk?
thanks!
facebook ids pretty hard make (at user know own). depending on store in database (which not user cannot on own, unless ask extended permissions)
if worried user trying information database, add access token or signed request each row , , facebook id data. increase security.
edit
there few occasions signed request user:
* signed_request passed apps on facebook.com when loaded facebook environment * signed_request passed app has registered deauthorized callback in developer app whenever given user removes app using app dashboard * signed_request passed apps use registration plugin whenever user registers app signed requests contain user id if use has accepted permissions though, , not passed again if user enters application, , accepts permissions (meaning signed request not contain id). because of saving access token may better idea. here more on signed request
also signed request in url (param = "signed_request"). parse through c# sure can @ least 1 through javascript
Comments
Post a Comment