Home/ Questions/Q 6131937
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T17:02:23+00:00

I’ve created a iframe facebook app and i want to disable the app outside

  • 0

I’ve created a iframe facebook app and i want to disable the app outside of facebook, that the user can’t open the app via direct url. I found a solution with javascript, but i need it in PHP.

I can’t use the referrer, because some user have disabled it in there browser…

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can check if there’s signed_request param sent in request.
    If application is opened inside facebook than signed_request exists.

    But there’s one more issue.
    You should check if signed_request is valid and for that you can use parse_signed_request method

    public function parse_signed_request($signed_request, $secret) {
    list($encoded_sig, $payload) = explode(‘.’, $signed_request, 2);

        // decode the data
    $sig = $this->base64_url_decode($encoded_sig);
    $data = json_decode($this->base64_url_decode($payload), true);

    if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
        error_log('Unknown algorithm. Expected HMAC-SHA256');
        return null;
    }

    // check sig
    $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
    if ($sig !== $expected_sig) {
        error_log('Bad Signed JSON signature!');
        return null;
    }

    return $data;
}

    Then you can check if $data[‘user_id’] exist or is it equal to logged in user.
    If not you can redirect like this
    echo “< script type=’text/javascript’ >top.location.href = ‘$this->loginUrl’; < /script >”;
    Or find some way to redirect from php. (There was redirect method in the old php sdk)

    • 0