使用Facebook SDK进行iOS身份验证
[英]iOS authentication with facebook SDK
问题描述
I have a website that uses facebook connect. 
我有一个使用Facebook Connect的网站。
I have a security related question regarding the iPhone app i'm building for it. 我有一个有关我为其构建的iPhone应用程序的安全相关问题。
For the website, I keep a USERS table in my database. 对于网站,我在数据库中保留了一个USERS表。
The USERS table among other things has those fields: 除其他内容外,USERS表具有以下字段:
ID (int) an internal auto-generated id
FBID (int) the facebook user id
GUID (varchar 40) a random long guid for API uses
When a user logs into my website, after approving my website with facebook, he gets redirected to a login.php page where i get his FBID and easily log him in by creating a new user or finding an existing one. 当用户登录我的网站时,在用facebook批准我的网站后,他被重定向到login.php页面,在该页面上我获得了他的FBID,并可以通过创建新用户或找到现有用户轻松地登录。 i keep the GUID in a session. 我将GUID保留在会话中。
For building the iphone app for my website I downloaded the iOS facebook SDK. 为了为我的网站构建iPhone应用程序,我下载了iOS facebook SDK。
Apparently, same as with the website scenario, in the end of the approvement process i get the user's FBID. 显然,与网站方案相同,在批准过程的最后,我得到了用户的FBID。 The problem is that sending the FBID to my website is insecure as i see it. 问题是,如我所见,将FBID发送到我的网站是不安全的。 If i open an API that gets an FBID and logs users in - any person can send his/hers friend's FBID and log into my website in their name. 如果我打开获取FBID并登录用户的API,则任何人都可以发送他/她朋友的FBID并以他们的名字登录我的网站。 Is this correct? 这个对吗? if so - what should i do? 如果是这样-我该怎么办?
cheers, 干杯,
1 个解决方案
解决方案1
0 2012-08-18 04:32:00
you can send the access token along with the Fbid to your server and then make a request to facebook.. 您可以将访问令牌和Fbid一起发送到您的服务器,然后向Facebook发出请求。
https://graph.facebook.com/me?access_token=XYZ
this will return you a list of things along with the Fbid and than you can check if both FBId's are same thus authentication is performed.. hoping this helps. 这将返回您的清单以及Fbid,然后您可以检查两个FBId是否相同,从而执行身份验证。.希望这样做有帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.