Generate the facebook signature using my applications secret key?

When you build a we开发者_JAVA百科bsite with "facebook connect" and you log into facebook with your username and password, facebook then sets a session on your website.

In that session is a generated "signature"

This signature is created by combining the data of your "application secret" that only you and Facebook know, and the result MD5 hashed.

I need the algorithm used to generate that signature so that I can recreate it and make sure it matches the one signature created by facebook.

if($_SESSION['facebookSignature'] == reGeneratedSignature){
   // save to database
}else{
  // go away I don't trust you
}

This way I can validate the user and I don't need to make unnecessary calls to Facebook and alow the user to continue to use the website.

The Verifying The Signature link is the way to go, so that should be working for you.

Have a look at the source code for FBConnectAuth, it does what you want, and is generic so that it will adapt to any new FB Connect cookies that may appear - so hopefully that will adapt to the new JS library.

Hope that helps,

Adam

Reconstructing the signature created by Facebook is rather simple. You just need to append all key=value pairs, then append your private key, and finally compute the MD5 hash of the resulting string.

More details on how the signature is constructed can be found on this answer.

Facebook has provided a PHP example of how to do reconstruct the sig here in the Single Sign-On section.

I have written a blog post doing exactly the same, but in Ruby instead.