Facebook takes security seriously and there are many many things a Facebook app cannot do. Sometimes it is necessary to create an iFrame and load the page in to work around Facebook’s security model. This example shows how you can continue to use the $facebook->require_login() method while you are inside an iFrame.
Each Facebook request to your application contains a number of parameters that you can use to authenticate if the request really came from Facebook and if the user is actually logged in. These parameters looks like this:
[fb_sig_in_canvas] => 1
[fb_sig_request_method] => GET
[fb_sig_friends] => 12345678,123456789,...
[fb_sig_locale] => en_US
[fb_sig_in_new_facebook] => 1
[fb_sig_time] => 1265247656.6432
[fb_sig_added] => 1
[fb_sig_profile_update_time] => 1261813927
[fb_sig_expires] => 1265248900
[fb_sig_user] => 1234567
[fb_sig_session_key] => 2.18zPq2sNPEE6sn0wpMLc5w__.3600.1265248800-1234567
[fb_sig_api_key] => ab6c2d2604ae9604be0efef88315c53e
[fb_sig_app_id] => 289424642699
[fb_sig] => 575ed0ccd0c9b3ea2d5d7c5417187de6
If you create an iFrame in your facebook page, the parameters will be passed to the iFrame but by will not automatically be passed from one request to the next. Once the user clicks on a link or you try to do an ajax request, you will not be able to validate the user. The simple trick to keep the authorization is to pass the fb_sig_* parameters to request. A handy PHP function like this will help:
$fb_vars = array();
foreach ($_GET as $key => $value)
if (strpos($key, "fb_sig") !== false)
$fb_vars = $key."=".$value;
return implode('&', $fb_vars);
If you append the result of that function to the query string of each request, the $facebook->require_login() call and the $facebook->validate_fb_params() can then successfully validate if your user is from Facebook.
Have you had the… how should I describe it… experience of writing a Facebook application? No? OK, here’s an introduction to what you can expect.
Rule #2 The never ending cycle. The Facebook platform is constantly changing and APIs that you are using in your application could disappear one day without any notice. It’s the life of a Facebook application, working one instant, inexplicably broken the next. Be prepared for irregular maintenance just to keep your application working.
Do you see that it’s a bit of a battle of you against the mighty Facebook? Don’t sweat too much, other developers have persevered and with a few wounds and time you can build and maintain a successful Facebook application. Good luck!