Enforcing Facebook Authentication: Client-side and server-side

Question

I'm building a social media app in Flash (AS3) that is tightly integrated with Facebook--all user accounts are handled via Facebook connect, and all Facebook connectivity is handled via a combination of the Javascript and AS3 Facebook APIs. I'm using Codeigniter on the backend for server-side data management, which includes tracking user actions and data on the site through URLRequests from Flash.

My problem is that I don't know how to prevent spoofing of the server requests that are made from Flash; in theory, malicious users could track the calls that Flash is making to my server and reproduce them in a way that (for example) inserts garbage data and associates it with a given Facebook user ID in my database. All authentication is taking place on the client side (via the Facebook JS API) with no intervention by the server, so I'm having a hard time figuring out exactly how to secure calls between Flash and the server in a manner that ensures that users have to be authenticated with Facebook in order to make them.

One possibility I considered is using an encryption scheme known by the client and server to pass Facebook UIDs back and forth, which would certainly be better than passing them in the clear. However, it would only take one enterprising hacker with enough time/patience to break the scheme (or decompile the swf) to screw everything up.

Anyway, I may be overthinking this, but it seems like an important point and I'm really not sure of the best approach. Any feedback would be greatly appreciated!

Answer 1

I just spent a ton of time trying to figure this one out! I know this is an old question, but hopefully it will be useful to you still or at least someone else.

The basic problem is just like you said. If you are doing client-side authentication, but you want to do some user-specific server side operations, you need to security authenticate the user on your system as well. Ideally, you would want to avoid having them log on again with a password and such because that would be a horrible user experience. So one might be tempted to just send over the UID and log them on that way. Unfortunately, there's an obvious security risk to this. As you point out, anyone can pass the UID which is generally public knowledge and log on as someone they are not.

The solution to this problem is to use information stored in a cookie that the facebook api drops after a user successfully logs on. The information in the cookie contains the user information in it as well as a unique signature data. If the server grabs the contents of the cookie, and you process it correctly, out should pop a secret code. This secret code should match, exactly, your application secret code which only you and facebook know. If it does, then you know the cookie (and thus the user) is legit. If it is not the same, then you know someone is trying something funny.

For more information, you might consider checking out these pages: PHP - https://developers.facebook.com/docs/guides/web/#personalization Ruby - http://vombat.tumblr.com/post/835536630/ruby-version-of-facebooks-get-facebook-cookie-in-php

I should also note that similar approaches for both LinkedIn and Twitter exist.