Home/ Questions/Q 7646243
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T10:09:27+00:00

I was having a problem with continuous redirect for my application that is basically

  • 0

I was having a problem with continuous redirect for my application that is basically requesting basic user info such as name, gender and location.
I went through too much headache until I decided to open up base_facebook.php and trace the flow. I ended up with commenting out the if block that checks whether $sig matches $expected_sig inside the parseSignedRequest function. The application worked fine and displayed the basic information about me. However I wonder if it is safe to do so?!!! and why $expected_sig does not match $sig any help would be appreciated thanks indeed

 protected function parseSignedRequest($signed_request) {
     list($encoded_sig, $payload) = explode('.', $signed_request, 2);

     // decode the data
     $sig = self::base64UrlDecode($encoded_sig);
     $data = json_decode(self::base64UrlDecode($payload), true);

    if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
      self::errorLog('Unknown algorithm. Expected HMAC-SHA256');
      return null;
    }

    // check sig
    $expected_sig = hash_hmac('sha256', $payload,
                          $this->getAppSecret(), $raw = true);

    var_dump($expected_sig);
    echo '<br/><br/><br/>';
    var_dump($sig);
    // if ($sig !== $expected_sig) {
    //   self::errorLog('Bad Signed JSON signature!');
    //   return null;
    // }

    return $data;
 }
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is essential for security reasons. It verifies that the request is coming from facebook because only fb and you know the app secret.

    Realistically the only variables that are going to screw this up is the facebook app secret or some sort of modification to the signed_request. I had this same issue when I was testing because I copied the signed request coming in wrong. Make sure to double check everything.

    • 0