如果我们使用JS SDK登录,则在服务器端获取facebook会话 [英] Getting the facebook session at the server side if we login using JS SDK
问题描述
朋友
我已使用JS SDK为我的网站设置了Facebook登录名.
-
如果使用是通过JS SDK登录的,那么我们应该交叉验证会话在服务器端是否有效,因为客户端很容易被伪造.
-
由于我使用JS SDK,因此服务器将无权访问facebook会话. 如果我需要在服务器端验证会话,是否可以像在中指定的那样使用php-sdk和extern会话https://developers.facebook.com/docs/reference/php/吗?在这种情况下,我需要启用CURL PHP扩展才能使其运行,并担心在使用php sdk时性能是否会下降.
您能帮我为上述查询找到答案吗?
php sdk和javascript与Julian H. Lam所说的完全相反,实际上它们是为了一起使用而构建的.
在 php sdk文档中,您可以找到以下内容:
与JavaScript的Facebook SDK集成
与JavaScript的Facebook SDK,PHP SDK结合使用 可以在客户端和服务器之间无缝共享用户会话.如果一个 用户使用Facebook登录并已授权您的应用, JavaScript SDK可以接收用户会话,并将其持久保存在Cookie中 PHP SDK无需任何干预即可读取的内容 开发人员的部分.
要启用此功能,请确保在嵌入和 初始化JS SDK,同时设置状态和cookie 传递给FB.init()的对象的参数为true.
通过使用基本逻辑,这很有意义,在客户端上,您可以创建侦听器来检索用户状态(如果他已登录,如果他已授予权限,如果他已经注销),则在服务器上执行此类操作服务器端根本没有任何意义.
所以我对您的建议是使用Javascript SDK来处理用户事件(如我之前提到的事件),并处理用户操作(例如,用户进行点赞或使用共享信息)的响应供稿对话框等
使用php SDK时,您只需检查您是否具有有效的用户,因为使用javascript SDK处理登录过程后,您将在客户端和服务器端共享相同的cookie,如果您这样做$fb_id = $facebook->getUser()(当然,在初始化PHP SDK之后),您将获得用户facebook id,因为您知道自己具有有效的用户,因此可以使用PHP SDK查询有关用户的信息,代表用户发布信息等.
以下是正确加载具有Cookie支持的javascript SDK的示例:
<div id="fb-root"></div>
<script>
window.fbAsyncInit = function() {
// init the FB JS SDK
FB.init({
appId : 'YOUR_APP_ID', // App ID from the app dashboard
channelUrl : '//WWW.YOUR_DOMAIN.COM/channel.html', // Channel file for x-domain comms
status : true, // Check Facebook Login status
xfbml : true, // Look for social plugins on the page
cookie : true
});
// Additional initialization code such as adding Event Listeners goes here
};
// Load the SDK asynchronously
(function(d, s, id){
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {return;}
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/all.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
</script>
这是服务器端的一个简单代码,用于启发您:
require_once("facebook.php");
$config = array();
$config[‘appId’] = 'YOUR_APP_ID';
$config[‘secret’] = 'YOUR_APP_SECRET';
$config[‘fileUpload’] = false; // optional
$facebook = new Facebook($config);
try {
$user_profile = $facebook->api('/me','GET');
$user_name = $user_profile['name'];
$user_email = $user_profile['email'];
} catch(FacebookApiException $e) {
// If the user is logged out, you can have a
// user ID even though the access token is invalid.
// In this case, we'll get an exception, so we'll
// just ask the user to login again here.
}
PS:此服务器端代码,仅在用户已授予范围电子邮件授予权限的情况下有效
Friends,
I have set up a facebook login for my website using JS SDK.
If the use is logged in through JS SDK, should we cross verify whether the session is valid in the server side also as client side can easily be fabricated.
Since I use JS SDK, server will not have access to the facebook session. If I need to verify the session at the server end, can i use php-sdk adn extern the session like it is specified in https://developers.facebook.com/docs/reference/php/ ? In this case I need to enable CURL PHP extension to get this running and worried if performance will go down when using php sdk.
Could you please help me in finding answers for the above queries?
The php sdk and the javascript are the completely opposite, of what Julian H. Lam said, in fact they were build to be used together.
On the php sdk documentation you can find this:
Integration with the Facebook SDK for JavaScript
Used in conjunction with the Facebook SDK for JavaScript, the PHP SDK can share user sessions seamlessly across the client and server. If a user is logged in with Facebook and has authorized your app, the JavaScript SDK can pick up the user session persist this in a cookie which, which the PHP SDK reads without any intervention on the developer's part.
To enable this functionality, ensure that when you embed and initialise the JS SDK, you set both the status and the cookie parameters of the object passed to FB.init() to true.
And by using basic logic this makes all sense, on the client side you can create listeners to retrieve user status(if he's logged in, if he has granted permissions, if he has logout), doing this kind of actions on the server side doesn't make any sense at all.
So my advice for you is to use Javascript SDK to handle user events, like the ones I mentioned before, and to handle the responses from the actions of the users, like when the user does a like, or shares a post using the feed dialogue, etc.
With the php SDK you just check if you have a valid user, since you're sharing the same cookie for the client side and for the server side after you handle the login proccess with the javascript SDK, if you do this $fb_id = $facebook->getUser() (after initializing the PHP SDK of course), you'll get the user facebook id, now that you know you have a valid user, you can use the PHP SDK to query information about the user, post on user behalf, etc.
Here's an example of a proper loading of the javascript SDK with cookie support:
<div id="fb-root"></div>
<script>
window.fbAsyncInit = function() {
// init the FB JS SDK
FB.init({
appId : 'YOUR_APP_ID', // App ID from the app dashboard
channelUrl : '//WWW.YOUR_DOMAIN.COM/channel.html', // Channel file for x-domain comms
status : true, // Check Facebook Login status
xfbml : true, // Look for social plugins on the page
cookie : true
});
// Additional initialization code such as adding Event Listeners goes here
};
// Load the SDK asynchronously
(function(d, s, id){
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {return;}
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/all.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
</script>
And this is a simple code on the server side just to enlighten you:
require_once("facebook.php");
$config = array();
$config[‘appId’] = 'YOUR_APP_ID';
$config[‘secret’] = 'YOUR_APP_SECRET';
$config[‘fileUpload’] = false; // optional
$facebook = new Facebook($config);
try {
$user_profile = $facebook->api('/me','GET');
$user_name = $user_profile['name'];
$user_email = $user_profile['email'];
} catch(FacebookApiException $e) {
// If the user is logged out, you can have a
// user ID even though the access token is invalid.
// In this case, we'll get an exception, so we'll
// just ask the user to login again here.
}
PS: this server side code, only works if the user has already granted permissions with the scope email
这篇关于如果我们使用JS SDK登录,则在服务器端获取facebook会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
