Third Party Cookies, OAuth2.0, iFrames for Facebook Dev
We ran into an issue with one of our apps that no cookie was being set, for users that had browsers the “third party cookies” setting disabled, in FireFox (see picture). According to the official word, Facebook doesnât support this. Thing is, if youâre creating a PHP application in iFrames, itâs necessary to get that cookie and pass it around otherwise you have to re-authenticate on each page. Weâve discovered a workaround:
Grab the access_ token and pass that around. Use it in all requests to the graph, and you have full access to session data on the Facebook side. This is documented in the Graph examples, but not in the PHP-SDK. Itâs sad because it would be nice to use all of the nice methods in the PHP-SDK, but if it doesnât work for a significant percentage of our users, itâs not a good solution. How many users have 3rd party cookies off? According to some, itâs IEâs medium security to, by default, have that turned off. For our population, IE was more than 50% of our users. Firefox has the option but itâs not on by default, to my knowledge.
This code is on our page after authentication:
$facebook = new Facebook(array(
'appId' =>'[your app ID]',
'secret'=>'[your secret]',
'cookie' => true, ));
$session = $facebook->getSession();
session_start();
if($session){
try {
$uid = $facebook->getUser();
} catch (FacebookApiException $e) {
// log to show error
}
}
All is fine. But when you use Ajax to post to another page, for some users the session does not carry (via cookie).
'[your app id]',
'secret'=>'[your secret]','cookie' => true, ));
$session = $facebook->getSession();
session_start();
print_r($session);
// other print outs of $_COOKIE, $cookie, etc.
So that is the way we wanted it to work, it didnât (for some users with 3rd party cookies turned off).
Instead, this method works:
On the page that is after authentication, we add in the query string the session object “access_token”:
.post("otherpage.php?
my_access_token=",
null, function(dataStr){ /// ajax stuff }
On the “otherpage.php”, we take the access_token and use it in all of our Graph queries.
if($uid == ''){
try{
$me = json_decode( file_get_contents(
'https://graph.facebook.com/
me?access_token='.$_GET['my_access_token']));
$uid = $me->id;
} catch (Exception $e){
// log the $e failure
}
}
Because weâre in an iFrame in a Facebook app, we canât use our PHP session variables as cookie management is disabled.
As usual Iâm interested in how others have solved this problem. These are the sites that Iâve read concerning this issue:
- Facebook Connect and Third Party Issues - StackOverflow
- PHP-SDK Example.php on Github, this is the definitive way of using PHP and JavaScript for Facebook
- Ben Biddingtonâs Facebook Graph API and Getting Access Tokens Great post on almost everything surrounding this issue.
- Bugzilla bug report on Cookie issues Covers the known issue with 3rd party cookies, and another bug with FireFox and authentication
- Security issues with IE7, Cookies and iFrames I didnât explore the P3P header route, as I was having this issue with a manually set FireFox security setting.
About the Author
I'm a developer with Momentus Media. I've done the gamut of OLAP DB modeling to iPhone development and Ruby on Rails. Now, I'm in the fast lane of rapid, viral app development on Facebook.View Author Profile
-
http://www.banane.com banane
-
Jameslsherman