Home/ Questions/Q 7672835
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T16:22:35+00:00

Situation: I am developing a facebook canvas app. Facebook is sending my sever a

  • 0

Situation: I am developing a facebook canvas app. Facebook is sending my sever a POST request with the signed_request each time that a page is render. Inside my app I have all my links with target=”_top” because if I don’t, facebook send my server a common GET without the signed request. So I cann’t check the user info.

Problem: It is too slow! even if I am testing it in local, each click that I press takes 1 sec to render and my canvas becomes completely white and then the info is shown, It will be a bad user experience.

My tests: If I remove the target=_top and I point all my links’ href to my server without the app.facebook.com/whatever, it loads very quickly.

My doubts: Is there any security issue with this? If I point all the links to my server (no apps.facebook.com) I can not check the signed request, I will only check it in the main page..

Any advice? any tutorial? Do I have any misundestanding of this? (It is my first facebook app)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Have you read the Server-Side Authentication tutorial?
    You’re doing it wrong.

    Once the users lands in your app you should keep all links in the same frame, loading the entire window along with facebook is completely redundant.

    What you should do:

    When you get the POST with the signed request, decode it and check if the user is authenticated, if he is persist the data (token and such) somewhere (session, db, cache).
    If he is not authenticated send him to the auth dialog as noted in the tutorial, when he gets back exchange the code you get (in GET) for the token (also shown in the tutorial), then redirect him to http(s)://apps.facebook.com/YOUR_APP and you’ll be posted with the authenticated signed request, save it, etc..

    Since you persist the data, in every request that is not POST or don’t include the signed_request check your persistency choice for the data, and use it.

    There should be only two times where facebook sends you the request, once it is POST when your canvas is loaded, the 2nd is when the user returns from the authentication dialog, in which you either get the code parameter or error in case the user declined the authentication.
    Other requests should be from your app (inside the iframe) into the app servers.

    • 0