Facebook security
Tuesday, December 16th, 2008I’m currently writing an application for facebook, most of this application will happen within an iframe, since I’m going to have to play with the layout etc. and I can’t figure out how to pass link to other pages facebook.
This all works well, until you try and transfer any data that someone may want to amend as links.
The normal way I’d do this is by passing values through cookies and POST. However, firstly this isn’t the most secure way of doing things, and secondly I won’t have the users password etc. I’ll just have to trust it’s facebook that calling the page, and not that it’s being called directly.
So I came up with a way of securing the information that is being transmitted by POST. That is to add a test variable to the POST string, and then check it on the other end. Of course someone could just recreate the hash of the variables and pass that, so for added security I’ve inserted a secret phrase and a date stamp to the hash.
This will work fine as long as the page isn’t opened before midnight and the link followed after (otherwise the date will be different and so will the hash) So, I’ve the checking routine checks not only the day, but the day before as well.
Calling.php
$user_id
$loc_id
$action
$passp = md5($user_id . $loc_id . $action . date(‘Y-m-d’) . “secret phase”);
echo “<a href=path.to/script.php?user=”.$user_id.”&loc=”. $loc_id .”$action=”.$action.”&check=”.passp” > link</a>”;
script.php
<?PHP
$passp = md5($_POST['$user_id'] . $_POST['$loc_id'] . $_POST['$action'] . date(‘Y-m-d’) . “secret phase”);
$nextDay = time() – (24 * 60 * 60);
$passp2 = md5($_POST['$user_id'] . $_POST['$loc_id'] . $_POST['$action'] . date(‘Y-m-d’, $nextDay) . “secret phase”);
if ($passp != $_POST['check']) {
if ($passp2 != $_POST['check']) {
echo “err… you’ve fiddled with the pass string”;
exit();
}
}