In this example I show how to validate a user’s facebook session in the server side using the fbsr cookie created by the FB javascript API.
I use the following, basic html to initialize the login button.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The facebook login will in this case create a cookie named fbsr_[your facebook application id] which is in the form of signed request consisting of two parts:
[mac sha256 signature].[base64 url encoded json]
Now I can validate the cookie on server side by signing the second part of the cookie with my facebook secret and making sure that it matches to the first part. To get the json data I just have to json decode the second part of the cookie.
Here’s code that I use to do it in Java:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In order to get the access token, we need to request from the graph api using the following request:
https://graph.facebook.com/oauth/access_token?
client_id=[facebook application id]
&redirect_uri=
&client_secret=[application secret]
&code=[code from the json]
Note that you need to include an empty redirect_uri parameter in the request for it to work. From the response you get the actual access token, which you can use to get more information about the user.