Validating a Facebook Session Within an iFrame

Facebook takes security seriously and there are many many things a Facebook app cannot do. Sometimes it is necessary to create an iFrame and load the page in to work around Facebook’s security model. This example shows how you can continue to use the $facebook->require_login() method while you are inside an iFrame.

Each Facebook request to your application contains a number of parameters that you can use to authenticate if the request really came from Facebook and if the user is actually logged in. These parameters looks like this:

    [fb_sig_in_canvas] => 1
    [fb_sig_request_method] => GET
    [fb_sig_friends] => 12345678,123456789,...
    [fb_sig_locale] => en_US
    [fb_sig_in_new_facebook] => 1
    [fb_sig_time] => 1265247656.6432
    [fb_sig_added] => 1
    [fb_sig_profile_update_time] => 1261813927
    [fb_sig_expires] => 1265248900
    [fb_sig_user] => 1234567
    [fb_sig_session_key] => 2.18zPq2sNPEE6sn0wpMLc5w__.3600.1265248800-1234567
    [fb_sig_api_key] => ab6c2d2604ae9604be0efef88315c53e
    [fb_sig_app_id] => 289424642699
    [fb_sig] => 575ed0ccd0c9b3ea2d5d7c5417187de6

If you create an iFrame in your facebook page, the parameters will be passed to the iFrame but by will not automatically be passed from one request to the next. Once the user clicks on a link or you try to do an ajax request, you will not be able to validate the user. The simple trick to keep the authorization is to pass the fb_sig_* parameters to request. A handy PHP function like this will help:

function fb_vars()
  $fb_vars = array();
  foreach ($_GET as $key => $value)
    if (strpos($key, "fb_sig") !== false)
      $fb_vars[] = $key."=".$value;

  return implode('&', $fb_vars);

If you append the result of that function to the query string of each request, the $facebook->require_login() call and the $facebook->validate_fb_params() can then successfully validate if your user is from Facebook.

Facebook vs You!

Have you had the… how should I describe it… experience of writing a Facebook application? No? OK, here’s an introduction to what you can expect.

When developing an application you must learn Rule #1 Facebook is the gatekeeper. Everything you do, be it HTML, CSS or JavaScript, is restricted by Facebook. Only the commands, functions, CSS properties, HTML tags etc. that Facebook allows are permissible. If you have an error in your HTML such as an unclosed tag or if you try to use a CSS property that does not exist, Facebook will render a very nice message saying you made an error.

Rule #2 The never ending cycle. The Facebook platform is constantly changing and APIs that you are using in your application could disappear one day without any notice. It’s the life of a Facebook application, working one instant, inexplicably broken the next. Be prepared for irregular maintenance just to keep your application working.

A Facebook Application lives in the world of Facebook and while it might initially seem like you’re developing a standard web application you are not. Rule #3 You’re application is on the Facebook web. It’s not a regular web application which is a very slight but critical distinction. Facebook has used their powers as the gatekeeper to make modifications to the web. Some HTML tags are allowed, some are not. JavaScript has been altered to remove a lot of its power and replace only some of them with Facebook specific functions and even CSS has restrictions. Don’t expect existing code to function when placed in the Facebook web.

Additional Caveats

  • You cannot include any external JavaScript or style sheet files, they must be included in-line. This is so Facebook can parse them and allow only approved commands. Yes it enhances the security of the social networking site as a whole, but it will slow down your development time.
  • Facebook will filter, compile, and drastically alter your original code. Clicking view-source on a Facebook page with your application will show your JavaScript code mushed into awkward Facebook functions.

Do you see that it’s a bit of a battle of you against the mighty Facebook? Don’t sweat too much, other developers have persevered and with a few wounds and time you can build and maintain a successful Facebook application. Good luck!