Facebook Authentication Implementation

Question

I'm working on a project which will use facebook authentication completely (no custom authentication implementation exists). Project uses PHP for server-side scripting. I looked around for implementing fast and secure authentication mechanism but i cannot find any detailed description about this subject. Facebook's documents are weak and does only provide basic information.

Which authentication method would be appropriate? There's a Javascript SDK and PHP SDK. As i understand, i have to use Javascript SDK for login, then using PHP SDK i will check my database for verifying credentials. But using Graph API with PHP SDK is slow. Is there a better way to validate session?

Will i need to check session server-side (PHP-SDK) on every request?

Answer 1

What I end up doing for my apps is pretty simple and relatively fast compared to any other method I've seen.

1. Check the signed_request if exists, parse it if it does. If it doesn't, set the $login flag to 1 in PHP
2. I check the user's session / cookie to see if the user was previously authenticated by the app (will come back to this later. If it is empty, set $login to 1.
3. If the login flag is set to 1, send the user to the installation url.
4. The user installs the app and is sent to a connector page. This page serves the purpose of getting an access_token and generating a session / cookie for the user. This means you won't likely need to check this access_token's validity for the life of the user's session. offline_access also creates new opportunities. You can store the access_token in your db as well.
5. Whenever you have a call that goes out to Facebook, check the exceptions, if you hit an authentication exception, clear the user's session and cookie. Next time it will force them to update their access_token, even if this process is invisible to the user.

I've done this on my apps, in most cases means I don't have to make queries to FB to see the validity of the access_token nor do I have to constantly get it on each page view. Our goal was to reduce latency on our apps, but Facebook was the biggest source of latency, doing this has cut it down considerably.

Answer 2

Answering my own question:

I used Javascript SDK for checking facebook authentication is available.

• If fb authentication is OK and my application does not authenticated, i present user with a prefilled registration form of facebook.
• If fb authentication isn't OK i present a facebook login button.

Registration Plugin authorizes my application and i call my fblogin.php to check this information using PHP SDK. When PHP SDK validates authorization, it stores this information on a session variable. So there's no need to check fb authentication on every request.

Login button does the same as Registration Plugin. These methods share same server-side functionality but their representation is different.

In order to catch facebook logout status, i used Javascript SDK to validate facebook authentication on every request. If user is logged out, my js code calls fblogout.php and current session is destroyed. There's a flaw on this method. If a user does not logout from my website explicitly, an attacker could do anything on behalf of user only disabling js on the same machine.

I cannot find a better solution with fast response time.