Validating a Facebook SDK login

https://stackoverflow.com/questions/22749114

24-06-2023
|

Question

I'm adding the functionality for users to log into my site using their Facebook account. When they create an account on the site, if they've created the account with their Facebook info I add their username and Facebook user ID into my users table (password not required if using Facebook). If they create an account without their Facebook, I add their username and password into my users table.

When the user logs in, I obviously verify their username/password combination if they didn't sign up using Facebook, and if they did sign up using Facebook I validate by checking if a user is found with their Facebook ID. The Facebook verification method just doesn't seem secure, so I want to check if I'm doing it right.

Here's a condensed version of my login code:

$facebook = new Facebook(
    array(
        'appId'  => '123456789',
        'secret' => '123456789',
    )
);

$fb_user = $facebook->getUser();

if ($fb_user)
{
    $fb_user_profile = $facebook->api('/me');
    $facebook_id = (int) $fb_user_profile['id'];

    if (verify_facebook_user($facebook_id))
    {
        // a user with facebook_id found in database
        // log user in
    }
else
{
    if (verify_user($username, $password))
    {
        // username/password combination found in database
        // log user in
    }
}

For logging in a user, is it sufficient to simply verify that a user with their facebook_id is found in the database?

Solution

Yes you are going right because every facebook user have a unique username and password.

$facebook_id = (int) $fb_user_profile['id'];

so there is no possibilities to two users have same facebook id so, you not need to worry about it.

Refer the Facebook Security Checklist for more information.

This list below should be considered the absolute minimum that all apps using Facebook Login should implement. Other features will be unique to your app and you will need to always think about how to make your app as secure as possible. Apps that are not secure will lose the trust of their audience and people will stop using them.

Never include your App Secret in client-side or decompilable code.

Sign all server-to-server Graph API calls with your App Secret.

Use unique short-term tokens on clients.

Don't trust that access tokens in use by your app were actually generated by your app.

Use our official SDKs where possible.

Reduce your app's attack surface area by locking down your Facebook app settings.

Reference Link

As per my experience if u using php sdk is more safe than Js-SDK that you already using.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow