is admin on facebook pages

I looked around and could not find anything to do this (well it was not obvious or semi-obvious)

So say i have a facebook application that offers a service that people will pay for during use. The average user can开发者_开发百科 come on and "Subscribe" to it, while the admin of those pages can perform an activity that will cost them money (make me money).

I do not want hacking attempts or anything to hurt our product. So, how can i verify that someone is an admin using the PHP SDK.

What we are currently doing is storing the $_POST["signed_request"] in $_SESSION's data and working with that. Either the $_POST or $_SESSION is not safe 100% (firesheep).

Is there any way to verify this? graph api?

Okay, first things first. To retrieve the signed_request and check if the user is an admin you would use something like:

$signed_request = $facebook->getSignedRequest();
if ($signed_request['page']) { // Loaded in a page tab
    if ($signed_request['page']['admin']) {
        // Current user is admin
    } else {
        // Normal user
    }
} else { // Canvas view

}

Now I'm not sure what do you mean by:

What we are currently doing is storing the $_POST["signed_request"] in $_SESSION's data and working with that.

Because if you are using the PHP-SDK then you don't need to worry about storing the signed_request in the session since the SDK will handle it for you.

Now for the last part:

Either the $_POST or $_SESSION is not safe 100% (firesheep).

That's not true, the signed_request is useless without your app secret key to decode it. So even if someone was able to obtain it, it won't compromise your application. Read more about signed_requests here.