Facebook Application - Security Considerations regarding the user's facebook Id

I am building a facebook game using ASP.Net MVC3. (More like Mafia Wars and less like Farmville in terms of technology and look and feel). Almost all of the actions of the game will be triggered by Javascript (which calls a REST api) that we have written.

Now, our game authentication is done using Facebook's JS SDK and we also ask for offline access permission. So we save the auth_token in our DB the first time a user signs up.

I want to know what would be the best way to access the id of the user for operations performed within the application from the point of view of security (and making it hard for people to spoof ids)

I know of the following ways:

1. Store it in a Global javascript variable and load it on every page load using the JS SDK. (开发者_StackOverflow社区bad idea because this can easily be changed in Firebug)

2. Read the value from server side using the fbs_[app-id] cookie that is set. (again, I was able to change the value in the cookie which got posted to the server)

3. Use the C# SDK and do an API fetch (for /me) to get the ID using the auth_code which is supplied in the cookie (by far the safest way - but also the slowest)

Any pointers would be greatly appreciated. Also please let me know if I am getting excessively paranoid about this.

I am sure there must be a clean, simple, secure method which I have overlooked!

Thanks.

I guess I'll just put down what we are doing - incase someone stumbles upon this later. I checked out Zynga's Mafia Wars and found my facebook id peppered at almost 6 to 7 places throughout the page in the HTML code.

I guess one could try fooling around and modifying it using Firebug - but the quantity of obfuscated javascript out there, one would need to be decently motivated to do it.

However, what we have ended up doing is follows. Our game asks for offline access to the user - so the access token that we get in the first login, is saved in our DB.

Then everytime the user performs an action, the facebook cookie associated with the account is returned to us out of which we pull out the access token.

We then do a lookup on our own DB for the user id corresponding to this access token. If the user id is not found (for a new user, say), we do a GET("me") using the facebook api to get the user id.

It is slightly ineffective - but I guess will do for the time being. Will update this if we end up doing something else. Maybe we just are over analysing things.