Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Enforcing Facebook Authentication: Client-side and server-side

I'm building a social media app in Flash (AS3) that is tightly integrated with Facebook--all user accounts are handled via Facebook connect, and all Facebook connectivity is handled via a combination of the Javascript and AS3 Facebook APIs. I'm using Codeigniter on the backend for server-side data management, which includes tracking user actions and data on the site through URLRequests from Flash.

My problem is that I don't know how to prevent spoofing of the server requests that are made from Flash; in theory, malicious users could track the calls that Flash is making to my server and reproduce them in a way that (for example) inserts garbage data and associates it with a given Facebook user ID in my database. All authentication is taking place on the client side (via the Facebook JS API) with no intervention by the server, so I'm having a hard time figuring out exactly how to secure calls between Flash and the server in a manner that ensures that users have to be authenticated with Facebook in order to make them.

One possibility I considered is using an encryption scheme known by the client and server to pass Facebook UIDs back and forth, which would certainly be better than passing them in the clear. However, it would only take one enterprising hacker with enough time/patience to break the scheme (or decompile the swf) to screw everything up.

Anyway, I may be overthinking this, but it seems like an important point and I'm really not sure of the best approach. Any feedback would be greatly appreciated!

like image 623
justinbach Avatar asked Aug 04 '10 13:08

justinbach


People also ask

What authentication protocol does Facebook use?

Facebook is ditching its proprietary Facebook Connect system, which lets people use their Facebook username and password to log in to other sites around the web. In its place, the company will implement OAuth 2.0, an open source (and soon to be IETF standard) protocol for user authentication.

How do I turn off enforce https on Facebook?

This setting is in the Products > Facebook Login > Settings section of the App Dashboard. Disable this setting if you are not building a custom web login flow or using the Facebook Login SDK on the web. Enforce HTTPS.

What client OAuth settings Facebook?

This question already has answers here:In your Facebook app configuration, click on the Settings tab on the left-hand navigation menu. Then go to the Advanced tab at the top and scroll down to the Client OAuth Settings section.

How does OAuth work with Facebook?

In case you're wondering what OAuth2 is, it's the protocol that enables anyone to log in with their Facebook account. It powers the “Log in with Facebook” button in apps and on websites everywhere.


1 Answers

I just spent a ton of time trying to figure this one out! I know this is an old question, but hopefully it will be useful to you still or at least someone else.

The basic problem is just like you said. If you are doing client-side authentication, but you want to do some user-specific server side operations, you need to security authenticate the user on your system as well. Ideally, you would want to avoid having them log on again with a password and such because that would be a horrible user experience. So one might be tempted to just send over the UID and log them on that way. Unfortunately, there's an obvious security risk to this. As you point out, anyone can pass the UID which is generally public knowledge and log on as someone they are not.

The solution to this problem is to use information stored in a cookie that the facebook api drops after a user successfully logs on. The information in the cookie contains the user information in it as well as a unique signature data. If the server grabs the contents of the cookie, and you process it correctly, out should pop a secret code. This secret code should match, exactly, your application secret code which only you and facebook know. If it does, then you know the cookie (and thus the user) is legit. If it is not the same, then you know someone is trying something funny.

For more information, you might consider checking out these pages: PHP - https://developers.facebook.com/docs/guides/web/#personalization Ruby - http://vombat.tumblr.com/post/835536630/ruby-version-of-facebooks-get-facebook-cookie-in-php

I should also note that similar approaches for both LinkedIn and Twitter exist.

like image 126
David Nguyen Avatar answered Nov 09 '22 08:11

David Nguyen