If you set oauth to true when you call FB.init () using the Javascript API, you will now get the cookie fbsr_APP_ID instead of the cookie fbs_APP_ID (note the “r”). It contains a signed request and part of the oauth migration.
If you use the PHP SDK, it should take care of this.
However, documents for websites are not updated with the new get_facebook_cookie () function: https://developers.facebook.com/docs/guides/web/
It still uses the old cookie format. You can find how to parse a signed request here:
http://developers.facebook.com/docs/authentication/signed_request/
Then you need to enable the "code" parameter in the cookie in the access_token through the documents: developers.facebook.com/docs/authentication/(no http: // due to StackOverflow spam prevention)
I dug in the source of the new PHP SDK a bit to figure this out, since all the documentation is not being updated.
The full code I use is a combination of the above with a few minor changes to work with the old or new cookie format. The new get_facebook_cookie () function returns several additional array elements (algorithm, code, issu_at, user_id), and several array elements are no longer set (base_domain, secret, session_key, sig). The main parameters that most people look for are most likely set (uid, access_token and expire)
function get_facebook_cookie($app_id, $app_secret) { if ($_COOKIE['fbsr_' . $app_id] != '') { return get_new_facebook_cookie($app_id, $app_secret); } else { return get_old_facebook_cookie($app_id, $app_secret); } } function get_old_facebook_cookie($app_id, $app_secret) { $args = array(); parse_str(trim($_COOKIE['fbs_' . $app_id], '\\"'), $args); ksort($args); $payload = ''; foreach ($args as $key => $value) { if ($key != 'sig') { $payload .= $key . '=' . $value; } } if (md5($payload . $app_secret) != $args['sig']) { return array(); } return $args; } function get_new_facebook_cookie($app_id, $app_secret) { $signed_request = parse_signed_request($_COOKIE['fbsr_' . $app_id], $app_secret); // $signed_request should now have most of the old elements $signed_request[uid] = $signed_request[user_id]; // for compatibility if (!is_null($signed_request)) { // the cookie is valid/signed correctly // lets change "code" into an "access_token" $access_token_response = file_get_contents("https://graph.facebook.com/oauth/access_token?client_id=$app_id&redirect_uri=&client_secret=$app_secret&code=$signed_request[code]"); parse_str($access_token_response); $signed_request[access_token] = $access_token; $signed_request[expires] = time() + $expires; } return $signed_request; }
Matthew Kolb
source share