I am developing a web app in ASP.net that allows users to log in using Facebook connect and use the services (like posting a picture or voting for a picture).

To keep the record of user connected via Facebook connect, the user is automatically registered by inserting the unique userid (something like 632343 provided by Facebook) in the database. And the other activities (like posting a picture or voting for a picture) are recorded against user’s unique userid.

When user logs in, his/her private page is loaded by fetching the entries from the database where userId = [user id of the current Facebook connected user]

I was using Facebook JavaScript SDK for this scenario until I discovered that there is a security fail in what I am doing. I am actually getting the userId of the current Facebook connected user and then sending a request to a partial page loadprofile.aspx?user=” to load the private profile page. Anyone who knows the Facebook id of any user can hack the page with tools like ‘Firebug for FireFox’ or by simply sending a get request to loadprofile.aspx?user=[user id] and can fetch the private content of that user.

The only solution I can find is to use the graph API and authenticate the user at Server side to get the userId so that the private page is generated internally for the current Facebook connected user.

I wanted to ask you guys if there is still a secure way of doing this using Facebook JavaScript API because I find it easy to use. Please help.