Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
FB.getLoginStatus returns access token and signed request. I’ve passed them both to server side, where I’ve decrypted signed request, got code and using the latter – requested Facebook for access token.
Both access tokens and their expiration time are the same.
Why do I need both of them? Should I use this somehow as a security feature by comparing the two?
They are redundant, just two views of the same data. There is no point in comparing the two. If you want to be most safe, verify the signed request and throw out the whole set of data if it’s not valid.
Personally I recommend using the fbsr_APPID cookie instead of manually passing the signed request. It’s a tiny bit more obscure to people trying to poke around in your app.