Home/ Questions/Q 6208441
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T05:48:35+00:00

if $user is empty i want to redirect to authenticate page but i am

  • 0

if $user is empty i want to redirect to authenticate page but i am seeing facebook logo and require click this logo else dont go to the authenticate page.

This is my redirect code:

if($user)
{
      // code..
}
else
{
        $url = 'https://www.facebook.com/dialog/oauth?client_id=258561857493875&redirect_uri=http://apps.facebook.com/gunlukburcpaylas/&scope=email,read_stream,publish_stream,offline_access,user_birthday';
        header("location:".$url);
}

You can see from here my application.

(Sorry for my English. My first language is not English)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The Facebook API does not allow you to issue Redirect headers for the Authetication page. Heres the Authentication page I use, with the pieces relevant to only my page removed. If you put this code in, it will work, as I use it in production for my facebook application. It also implements CSRF protection.
    EDIT: I removed the APP_SECRET, because I doubt you need it.

    <?php  
$valid = false;

define(APP_ID, "");
define(CHROMED_URL, "");//this is the facebook app url in the form http://apps.facebook.com/[app name]

$desired_perms = "";//place the permisions you want here
$auth_url = "https://www.facebook.com/dialog/oauth?client_id=".APP_ID."&redirect_uri=".urlencode(CHROMED_URL)."&scope=".$desired_perms;

$signed_request = $_REQUEST["signed_request"];

list($encoded_sig, $payload) = explode('.', $signed_request, 2);

$data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);

if ( empty($data["user_id"])) {
    //The user is not logged in, or the user has not authorized the app
    //We start a session to maintain a marker variable for XSS attack detection
    //The auth url will log the user in AND acquire permissions if needed.
    $_SESSION['marker'] = md5(uniqid(rand(), TRUE)); //CSRF protection
    session_write_close();
    echo("<script> top.location.href='".$auth_url."&marker=".$_SESSION['marker']."'</script>");
} else {
    if ($_SESSION['marker'] == $_GET['marker']) {
        //The user is logged in, has given the app permission, and appears to be operating under the correct session
        //marker, which protects against XSS attacks. 

        //lets verify the datas algorithm as a precaution

        if ($data["algorithm"] != "HMAC-SHA256") {
            echo("<script> top.location.href='./error.php?id=1'</script>");
            exit;
        }
        $valid = true;

    } else {
        //This branch means the user is logged in, but that it appears they have been subjected to
        //an XSS attack.
        echo("<script> top.location.href='./error.php?id=2'</script>");
            exit;
    }

}
?>
<?php if($valid): ?>
<!-- PUT The HTML to embed your application here -->
<?php endif; ?>
    • 0