How do i disable the facebook iframe app outside of facebook

I've created a iframe facebook app and i want to disable the app outside of facebook, that the user can't open the开发者_运维技巧 app via direct url. I found a solution with javascript, but i need it in PHP.

I can't use the referrer, because some user have disabled it in there browser...

You can check if there's signed_request param sent in request. If application is opened inside facebook than signed_request exists.

But there's one more issue.
You should check if signed_request is valid and for that you can use parse_signed_request method

public function parse_signed_request($signed_request, $secret) { list($encoded_sig, $payload) = explode('.', $signed_request, 2);

    // decode the data
    $sig = $this->base64_url_decode($encoded_sig);
    $data = json_decode($this->base64_url_decode($payload), true);

    if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
        error_log('Unknown algorithm. Expected HMAC-SHA256');
        return null;
    }

    // check sig
    $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
    if ($sig !== $expected_sig) {
        error_log('Bad Signed JSON signature!');
        return null;
    }

    return $data;
}

Then you can check if $data['user_id'] exist or is it equal to logged in user. If not you can redirect like this
echo "< script type='text/javascript' >top.location.href = '$this->loginUrl'; < /script >"; Or find some way to redirect from php. (There was redirect method in the old php sdk)

Your only real option would be to attempt to use the Facebook API somehow, and see if you get any response.