I added a like button to the canvas application page that actually configured to the facebook page of the application.
I would like that whenever a user pressed like or dislike on my page, a request will be sent to my server noticing it that the user liked or disliked the application page.
I can catch these events by using the following code:
FB.Event.subscribe('edge.create', function(response) {
alert('You liked the URL: ' + response);
});
FB.Event.subscribe('edge.remove', function(response) {
alert('You disliked the URL: ' + response);
});
I can just check if the response equals to my facebook application page.
the question is.. after I catched the like or dislike, how do i forward it to the server secure enough ? how can I send the request to the server without posting the facebook id as a post/get parameter?
i want to send it to the server in a way that the server will be able to fetch the facebook session information and fetch the userid from there, or any other secure way.
example:
if i’ll just call http://mysite/liked_my_app?uid=4534534543
then a user notice this request and start sending liked_my_app with fake uids.
is there a way to prevent that somehow ?
thanks
Instead of using the UID of the user, forward the
signed_request. Only you can decode signed requests coming from your application because of theapp_secretyou have to use to decode it.Another possible solution (depending on what exactly you want to do when you confirm a like/dislike event) is to check at intervals your page/app like count – in a cron job for example. When a user likes your page/app you can retrieve his UID (possibly other information as well), and you can cross-reference the lists from the last cron job.