Home/ Questions/Q 6543455
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T11:20:55+00:00

We have (currently) working projects that use Javascript API to get the Facebook session

  • 0

We have (currently) working projects that use Javascript API to get the Facebook session object, pass it to a Flash client, and that Flash client then sends it to our Java socket server which validates the session without a call to Facebook itself, by concatenating the half dozen or so parts of the session object (not the sig) in a certain order, concatenating the app secret key at the end, then hashing. This is compared to the sig, and it matches nicely for us, using the old api and a valid client.

On Oct 1st, the old api with session won’t work any more. The authResponse object doesn’t have the same fields. It has accessToken, userID, expiresIn, and signedRequest.

Is there a way for our Java socket server to do a similar validation of an authResponse object, so that it doesn’t have to make a Facebook call when the client logs in to the socket server?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    javascript SDK sets a cookie on the client computer with the name fbsr_APP_ID
    which is basically a “signed request”, you can read what is signed request and how to validate and decode it server-side here:
    https://developers.facebook.com/docs/authentication/signed_request/

    hope this helps

    • 0