Users logged into other people's accounts

I have a script that gets Facebook user information (see below).

The issue I've encountered during tests is that a user can end up getting logged in on someone else's account. This is obviously undesirable.

This happens in the bit that says if( $testuser != null ) where some code hooks into the login system of a web site bypassing the username+password phase and logs in a person according to their email address.

My guess is that something similar is happening to a payment system I fixed a few months ago. In short, if two people were visiting the same page they could both end up benefiting from a transaction. This was solved by adding an id to the callback from the payment service. In the present case I'm not sure how I could implement that but I'd say an extra condition needs to be added before a user is logged in.

What do you think is happening and what would be an appropriate/secure fix?

$token_开发者_如何转开发url = "https://graph.facebook.com/oauth/access_token?"
       . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
       . "&client_secret=" . $app_secret . "&code=" . $code;

$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);

$graph_url = "https://graph.facebook.com/me?access_token=" . $params['access_token'];

$testuser = json_decode(file_get_contents($graph_url));

if( $testuser != null ){
    // Login code goes here
    $id = get_userid_by_email( $testuser->email ); // Use email as key as unique

    $user = new User($db);

    $user->signin_by_id( (int) $id );
    $user->connect();
}

Yes go check the database call in get_userid_by_email for any potential holes that could return invalid information.

Also you need to make sure that $testuser is valid. Just because it decoded data doesn't mean the authentication was correct as facebook could have returned a 400 error code. Make sure you check for an error index in the data.