Third Party Cookies, OAuth2.0, iFrames for Facebook Dev
We ran into an issue with one of our apps that no cookie was being set, for users that had browsers the “third party cookies” setting disabled, in FireFox (see picture). According to the official word, Facebook doesn’t support this. Thing is, if you’re creating a PHP application in iFrames, it’s necessary to get that cookie and pass it around otherwise you have to re-authenticate on each page. We’ve discovered a workaround:
Grab the access_ token and pass that around. Use it in all requests to the graph, and you have full access to session data on the Facebook side. This is documented in the Graph examples, but not in the PHP-SDK. It’s sad because it would be nice to use all of the nice methods in the PHP-SDK, but if it doesn’t work for a significant percentage of our users, it’s not a good solution. How many users have 3rd party cookies off? According to some, it’s IE’s medium security to, by default, have that turned off. For our population, IE was more than 50% of our users. Firefox has the option but it’s not on by default, to my knowledge.
This code is on our page after authentication:
$facebook = new Facebook(array(
'appId' =>'[your app ID]',
'secret'=>'[your secret]',
'cookie' => true, ));
$session = $facebook->getSession();
session_start();
if($session){
try {
$uid = $facebook->getUser();
} catch (FacebookApiException $e) {
// log to show error
}
}
All is fine. But when you use Ajax to post to another page, for some users the session does not carry (via cookie).
'[your app id]',
'secret'=>'[your secret]','cookie' => true, ));
$session = $facebook->getSession();
session_start();
print_r($session);
// other print outs of $_COOKIE, $cookie, etc.
So that is the way we wanted it to work, it didn’t (for some users with 3rd party cookies turned off).
Instead, this method works:
On the page that is after authentication, we add in the query string the session object “access_token”:
.post("otherpage.php?
my_access_token=",
null, function(dataStr){ /// ajax stuff }
On the “otherpage.php”, we take the access_token and use it in all of our Graph queries.
if($uid == ''){
try{
$me = json_decode( file_get_contents(
'https://graph.facebook.com/
me?access_token='.$_GET['my_access_token']));
$uid = $me->id;
} catch (Exception $e){
// log the $e failure
}
}
Because we’re in an iFrame in a Facebook app, we can’t use our PHP session variables as cookie management is disabled.
As usual I’m interested in how others have solved this problem. These are the sites that I’ve read concerning this issue:
- Facebook Connect and Third Party Issues - StackOverflow
- PHP-SDK Example.php on Github, this is the definitive way of using PHP and JavaScript for Facebook
- Ben Biddington’s Facebook Graph API and Getting Access Tokens Great post on almost everything surrounding this issue.
- Bugzilla bug report on Cookie issues Covers the known issue with 3rd party cookies, and another bug with FireFox and authentication
- Security issues with IE7, Cookies and iFrames I didn’t explore the P3P header route, as I was having this issue with a manually set FireFox security setting.
About the Author
I'm a developer with Momentus Media. I've done the gamut of OLAP DB modeling to iPhone development and Ruby on Rails. Now, I'm in the fast lane of rapid, viral app development on Facebook.View Author Profile
-
http://www.banane.com banane
-
Jameslsherman