I’m fairly new to facebook development, but have experience with PHP and JavaScript.

I’ve been reading through the SDK documentation and various articles regarding facebook integration but have found that a couple of fundamental questions are still open in my head!

I am trying to achieve the following:

• Create a website that uses facebook only for registration and login
• Use PHP to store facebook user id of registered users in a database on my app server, along with some limited app specific info for those users. All ‘generic’ info (email address, etc.) should be retreived from facebook.
• when a user logs in, get a combination of database records for that user, and facebook stuff.

What I’ve achieved so far:

• I have used the registration plugin to display a register button to unregistered users, and a login button for users who are logged out when they land on the page. I hide the login button using javascript and jquery if the user is already logged in.
• I also have a page which receives a registered user and interprets the signed_request, adding the user’s id to the users table in my database.

Where my confusion arises:

• I want to use the Javascript SDK for user authentication (as it’s really easy) – this is obviously done asynchronously on the client side.
• Having said that, once a user has logged in using the JS SDK, I need to get some data from my database. I am happy to do this via an AJAX request, BUT that would require passing the facebook user id as part of that request. Surely this could be easily spoofed/changed by a savvy user & they could hence login to my application as someone else?

Question:
How do I securely pass information about a user who has logged in using the JS API to my server?

If the answer is “you can’t” then why bother authenticating with the JS API? Is that just for apps that are really light touch?

Thanks in advance for any help!