验证Facebook Connect会话 [英] Verifying a Facebook Connect session
问题描述
其中一个客户端例如在iOS平台上运行,所以所有的fb身份验证都通过iOS Facebook SDK发生在客户端上。然而,在用户对客户端进行身份验证之后,由于我正在使用Facebook登录到我们的网站,服务器是否还要从客户端获取验证数据,并进行验证?
使用Javascript SDK,调用FB.getSession()获取具有各种与auth相关的位的JS对象。其中,将'access_token','expires','secret','session_key','uid'和'sig'传递到您的服务器。
检查呼叫是否可信,将这些连接成诸如access_token = 1290380d9e& expires = 92d903& secret = e9cj9kd& session_key = s49i9i3f& uid = 12345的字符串。所以你刚刚通过的一切,不包括sig。
对于这个字符串,你可以从 Facebook开发者网站。将字符串中的MD5 hexdigest(在Python import md5; md5.new(foobar).hexdigest())中进行比较,以查看它是否与您传递的'sig'相同。
I am writing an application which has multiple frontend clients using Facebook Connect as a single signon solution.
One of these clients, for example is running on the iOS platform, so all fb authentication happens on the client via the iOS Facebook SDK. After a user authenticates on the client, however, since I am using Facebook for signing in to our site, is there anyway for the server to take the auth data from the client, and verify it?
Using the Javascript SDK, call FB.getSession() to get a JS object with various auth-related bits. Of these, pass 'access_token', 'expires', 'secret', 'session_key', 'uid' and 'sig' along to your server.
On server-side to check if the call is authentic, concat these into a string such as "access_token=1290380d9e&expires=92d903&secret=e9cj9kd&session_key=s49i9i3f&uid=12345". So everything you just passed, EXCLUDING the sig.
To this string, concat the "app secret" which you can get from Facebook developer site. Take the MD5 hexdigest (in Python import md5;md5.new(foobar).hexdigest()) of the string and compare to see if it is the same as the 'sig' you passed.
这篇关于验证Facebook Connect会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
