Facebook has done great work on preventing eavesdropping (with tools like Firesheep) by supporting https on all facebook.com pages, but does not provide similar levels of security for 3rd party sites.
Right now it’s possible to eavesdrop the traffic from a 3rd party website which is using the Facebook JS SDK and get a user’s signed fbsr_APP_ID cookie which a website should use to authenticate their users.
Is there a way to set this cookie with the secure parameter so that it’s only transmitted over HTTPS connections?
I have read both the documentation and the JavaScript SDK source code and it doesn’t seem possible. So if it’s not possible, which other authentication method would you suggest to avoid eavesdropping of this cookie?
I think I’m too late for the bounty, but I’ll happily take the “accepted answer” 🙂
As noted in the remark, on
FB.inityou specify, whether you want the facebook JS SDK to set cookies for you with thecookiesoption, it even looks like by default no cookies are set: https://developers.facebook.com/docs/reference/javascript/FB.init/Then afterwards use your own javascript to store the fbsr_APP_ID any way you want (secure cookie, client side storage, etc).