Facebook security - spoofing?
https://stackoverflow.com/questions/7920228
-
15-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianВопрос
What, if anything, should I know about spoofing in regard to Facebook?
I was planning on logging users in with just their Facebook ID - no password. My assumption was that they would already be logged in to Facebook, so they wouldn't need a password. However, now I'm wondering if it would be possible for someone to pass a fake ID (or someone else's ID) to my app and/or server. How can I make sure this doesn't happen?
(I'm using the Facebook Actionscript API, Flash/AS3, and SmartFoxServer Pro.)
Решение
The only way to prevent spoofing is to use the OAuth2 mechanism that Facebook provides. The user must approve your app to authenticate against Facebook, otherwise there is no way for you to know for sure that someone isn't maliciously (or accidentally) entering the wrong Facebook ID.
This will tell you how it all works: http://developers.facebook.com/docs/authentication/. (These docs are admittedly a bit confusing in parts, but there are lots of great questions/answers here on SO to help you get it all working.)
