Gags Gags - 5 months ago 44x
PHP Question

FB social Login PHP - Why People take it as so difficult?

I was implementing

FB social
login in website based on PHP. I checked FB website and found it easy to implement. Below is the approach i have followed and i am not sure that i have any security issues here.

I have used Facebook JS SDK approach.

and is as follows:

var appID = 'xxxxxxxxxxxxxxx';
window.fbAsyncInit = function() {
appId : appID, // App ID
channelUrl : '',
status : true,
cookie : true,
xfbml : true,
FB.getLoginStatus(function(response) {
if (response.status === 'connected') {
// connected
FB.api('/me?fields=id,name,email,permissions', function(response) {
//alert('Good to see you, ' + + '.');


function login() {
if( navigator.userAgent.match('CriOS') ){
FB.login(function(response) {
if (response.authResponse) {
} else {
// cancelled
alert('User cancelled login or did not fully authorize.');
},{scope: 'email,public_profile,user_friends'});

function replace_login(){
FB.api('/me?fields=id,name,email', function(response) {
url: "s-account",
type: 'POST',
data: response,
dataType: 'json',
beforeSend: function(){
success: function(data) {
error: function(){

And in PHP at server side, i am storing user detail like
social_id, name and email
in database through ajax call and if DB operation is successful then i am setting
Session Variable
in my website with
username and email
and user is logged in successfully.

For logout, i am using my own logout function to destroy Website user session and user is successfully logged out.

Now, where is the security risk? because if user is logged out and then try to login again JS SDK shall get a new Access Token through new response.


This whole authentication process boils down to the ajax call to s-account. You're sending name and email from FB.api() to your back end application in a POST request and as you didn't mention, I presume you're not verifying the access token with these details on the server side and you're simply making a session based on these details.

The security issue

Now, the security issue is that you're using a client side authentication on the server side. A user can simply generate a POST request to s-account with a fake response like Facebook with any username and email address and your PHP application will authenticate the user and make a valid session without verifying if the details are coming from a legit source. Your authentication is completely broken at this stage because a malicious user can login with any account by generating a simple POST request to s-account with any email and username.

How to fix

Facebook provides an end-point in the graph API which validates an access token and returns the details of the user associated with this access token. From the Docs:

This endpoint returns metadata about a given access token. This includes data such as the user for which the token was issued, whether the token is still valid, when it expires, and what permissions the app has for the given user.

The Fb.Login() will generate the access token as response.authResponse.accessToken and userId as response.authResponse.userID. You need to send this accessToken & userID along with the other user details in your ajax call to s-account and then use the following API end-point to validate if the details are legit.

curl -X GET ""

If the the access token is valid, you'll get the following response with the userID for which this token was issued.

  "data": {
    "app_id": "YOUR_APP_ID",
    "application": "YOUR_APP_NAME",
    "expires_at": 1462777200,
    "is_valid": true,
    "scopes": [

Now you can compare this userID with the userID you received in the ajax call and check if the details are legit.

How to get your APP_ACCESS_TOKEN

To debug the user access token using the debug_token API, you need to generate your APP access token on the server side using the following API end-point.

curl -X GET ""

This will return your app access token in response.

  "access_token": "YOUR_APP_ACCESS_TOKEN_HERE",
  "token_type": "bearer"