I am developing a Flash game for Facebook that uses PHP to access MySQL to store users game info. I am a bit stuck right now though. Here is my scenario.
User logs into Facebook and starts app which calls index.php and houses my Flash game. (works fine).
I use $facebook->getUser(); to authenticate and begin gathering user information (also works fine).
Flash will then access a getdata.php file on my server that will access MySql and echo certain info (ie. fname=John&lname=Doe&age=25).
Step 3 is the problem and I'll do my best to explain it...
My getdata.php also does a $facebook->getUser(); authentication, but the user is NOT authenticated on that script, whereas within the IFRAME app, the user is still authenticated. I'm assuming it has something to do with the fact that the main page is within Facebook's IFRAME and is possibly seen as a different session than when Flash tries to connect with my getdata.php file on my server. Is this the case? And can anyone help point me in the right direction as to how I might use Flash within an IFrame app to access a script on my server to retreive variables?
EDIT: I should mention that I'm using ActionScript 3 for Flash, but I'm fairly certain the problem doesn't lie there because it will retrieve the variables, but since the user is not authenticated on the server, then it will return a success=0.
Also wanted to point out that if I access my flash game through my actual server, and not Facebook, then all works well. Another reason why I think it's a session-type problem.
This is a session problem. You should try to pass the facebook signed_request, or any data you can use to build a valid user session, into your flash file and then pass them back to getdata.php where it can be used to access the users data.
Related
I'm new to ionic. From last 2/3 weeks, I'm working on ionic to build a mobile app for our web application & currently in confusion at one step. Need some suggestion regarding the best way to solve this.
Our web application is built upon PHP & we are not using any kind of REST architecture in it. Since now, we are moving to the mobile app we are trying to refactor our codebase. So that, one base code will handle all both(mobile app/web app) kind of request.
In mobile app side, I'm using OAUTH(http://bshaffer.github.io/oauth2-server-php-docs/). It's working fine. I can able to login/logout. But, I can't able to manage my PHP SESSION data.
In the web application, I know after login PHP send a session id which get stored in browser cookie & in all subsequent HTTP call it gets attached by browser. But, in my mobile app I'm not getting that SESSION ID after login. So, I thought maybe this is the reason for which my mobile app is not getting the user's SESSION data.
To resolve this, what I've done now...
After getting, authorization token & refresh token from OAUTH server, I include current PHP SESSION ID also in the data set & return back to the mobile app. Then, in all subsequent Http call I send that SESSION ID value to server side & by using the following code, I retrieve the user's SESSION data.
session_id($_POST['session_id']);
session_start();
$UserData = $_SESSION['User'];
It's working now. But, I really don't know whether it's a right way to do such things or not & mostly I'm concern with security issue associated with this. Can anyone guide me with this?
Regards
I'm trying to implement login and registration on a page using the Facebook API for both JS and PHP SDK 4.0. The 4.0 SDK seems relatively new and have changed a lot in recent time. There aren't a lot of answers out there. The documentation also seems pretty poor.
I already have a page with standard login using php/mysql. This will just be another option of login/registration for users.
After a couple of years just reading on Stackoverflow, this is my first post. Sorry in advance if it's in some way inadequate.
This is how I figure I would like to set this up:
A Facebook-button next to the login with a JS Facebook-login dialog connected to it.
If the user authorizes: send the result with an ajax-request to a php-page
Use FacebookJavaScriptLoginHelper to set up a session.
Get a long life access-token with getLongLivedSession.
Make a request for /me. Check if the email for this account is already a user on my site.
If not already a user: Ask for a username, register the user with info from Facebook.
Connect the account by saving the internal userid and the access-token in my database
Questions so far:
Am I supposed to send the token with my AJAX-call from the client, or would this be a security risk? I could just fetch the token with the PHP SDK instead.
Should i store the token with $_SESSION? Should I even store this manually myself? If so, is there built in functionality for this in the PHP SDK? Couldn't find any.
When a user has gone through this process I want to be able to check server side directly on page load if the user has authorized my app (and is logged in on FB).
Am I supposed to acquire the access-token using $_SESSION, or is there functionality for this? Isn't there any built in functionality to do a standard check if the user is authorized already?
When doing this in PHP, should I use the FacebookRedirectLoginHelper? Seems a bit odd since I'd never want to redirect with PHP, when my login dialogs will be with JS.
Maybe I've gotten the gist of this all wrong. My main concern is if I really would have to be storing the token with $_SESSION. I've seen a lot of people doing it in tutorials, but found nothing about it in Facebooks docs.
Thank you for your detailed post. Not a lot of people put so much effort in their first post ;)
The token you refer to is automatically stored in the cookie by the JS SDK. You can instantiate a session on the PHP side in the following way:
$js_helper = new FacebookJavaScriptLoginHelper($app_id);
$session = $js_helper->getSession();
Or: https://developers.facebook.com/docs/php/FacebookJavaScriptLoginHelper/4.0.0
You don't have to store the token by yourself, since it's already stored in the cookie.
Does this make the situation more clear?
I am grabbing some data to put in my iOS app by visiting an url. But now, given the URL, the users can access the content of my application without using it. Is there a way to hide the info on this URL from public?
The content I get is through a php script to get the database queries.
You can set up a security system on your website and connect to it using a special URL with an encoded variable.
For example you can make your iOS application connect to :
http://mywebsite.com/somepage.php?id=yuw7262
Then in your PHP page, you can get the value of "id", decipher it and if it is valid, allow the user to go forward. It is pidgin security but it will work.
Put some security in your php scripts.
Use $_SESSIONs to verify that a user is logged in and is using your app correctly
We have a Flash site that integrates heavily with Facebook. When users sign up we get them to allow a Facebook app that ties into the site. This is done through the AS3 Facebook API library from Adobe.
When users have done this, they should then be able to sign up, submitting some personal details and so on. The Flash sends this request to our PHP which then checks to see if the user is actually logged into Facebook, and has allowed our app.
The problem we're having is that when a user goes to do this, the PHP facebook library says that the user is not logged in. If we then refresh the page and try signing up again, everything works fine.
I'd imagine it's a cookie thing, but we're really banging our head against a wall here and can't figure out why it's not working.
Cheers,
Mark.
Are you using OAuth (good example here by chirs coenraets)
Regardless, you may need to use a flash php/js proxy (php i presume since thats what your using) to deal with any crossdomain policy issues.
Hello I am looking to build a basic API and application/apps system on my social network something like Facebook or other sites have, my site is in php/mysql. Here are some questions.
1)
Basically what I want to do is give a user a API key and secret. After I have these how can I use them in my php app to authenticate a user request which would come from there server?
2)
I can basically build an API to send a request to my server with CURL and get the result back to the page in XML or JSON or whatever, the problem is when sending the request the user would have to know the user ID they want to send to lookup data against, this is fine for an API but I am wanting to have an Apps section where the user's app site would be using the API and would be loaded into my site in the app section with an iframe, the problem is, I need to find a good way to make it where a logged in user on my site can go to the app section and go to an app and there username should be available to that page loaded in the iframe. Facebook and myspace do this somehow and many other sites; I am lost how to get around this hurdle.
Any help on any of this is really appreciated, thank you
Update:
I just had an idea, if I require a cookie to be set when a user visit's my site, then they would have a cookie and it could hold there User ID, then my API script could look for that cookie to exist and grab it's value?
If you plane on using an IFRAME, then no, your API hosted on a separate website (the website inside the IFRAME) would not be able to grab the cookie. The cookie is only visible on the website that it was set for.
I have only used Facebook API with the FBML (not the IFRAME,) but all they do their is basically replace what's in the page with the info that the "tag" is calling. I'm not sure if there is a better way, but you could possibly call a page on the app's server (say the app is hosted at http://example.com/app/, and you called http://example.com/app/?id=28318&name=John%20Maguire,) and have your API code handle it and turn it into a variable?
Maybe you should look into the source code of the Facebook API client.