I got an email today saying:

In every case that we have examined,
this information is passed via the
HTTP Referer Header by the user’s
browser. This can happen when using
our legacy authentication system and
including , or
content from 3rd parties in the page
that receives authentication data from
Facebook. Our legacy mechanism passes
authentication information in the URL
query string which, if handled
incorrectly, can be passed to 3rd
parties by the browser. Our current
OAuth 2.0 authentication system,
released over a year ago, passes this
information in the URL fragment, which
is not passed to 3rd parties by the
browser.

I’m a bit confused as the way I have integrated is using the PHP API using a similar response as per the example.php file:

https://github.com/facebook/php-sdk

Here is how I’m making the request:

$facebook = new Facebook(array(
    'appId'  => FACEBOOKAPPID,
    'secret' => FACEBOOKSECRET,
    'cookie' => false,
));
$fb_session = $facebook->getSession();
$fb_me = null;
// Session based API call.
if ($fb_session) {
    try {
        $fb_uid = $facebook->getUser();
        $fb_me = $facebook->api('/me');
        $fb_me['photo'] = 'http://graph.facebook.com/'.$fb_uid.'/picture?type=large';
        $_SESSION['register_api'] = 1;
        $_SESSION['register_api_details'] = $fb_me;
        $_SESSION['register_api_user_id'] = $fb_uid;
        header_redirect(SITEURL.'/register');
    } catch (FacebookApiException $e) {
        error_log($e);
    }
}
else{
    # LOGIN URL FOR FACE BOOK & request extra stuff
    $fb_login_url = $facebook->getLoginUrl(array('req_perms'=>'email,user_about_me,user_birthday,user_website'));
    header_redirect($fb_login_url);
}

Everything is working fine, but I don’t understand what I am doing wrong. As far as I was aware, I am using OAuth.