Antonio Matarrese Antonio Matarrese - 4 months ago 8x
Javascript Question

Safe Facebook login

I'm using in my website the possibility to login with facebook. Is only the use of javascript facebook api enough to guarantee that no security break could be attempt from client side in order to authenticate as a different user?


When a user clicks on your Facebook connect button they are authenticating against Facebook's table of users. If Facebook returns them back to your site they will come with an access token. On your server, you should be preforming an HTTP GET against the following URL:


If the access token was issued in the last (I think) 20 minutes then it will authorize you to fetch a JSON containing things like their name, email address (if they authorized that information) etc. You don't need to ask the user to type their email address on your site because that information isn't coming from the user it's coming from Facebook's servers.