简体   繁体   中英

Enforcing Facebook Authentication: Client-side and server-side

I'm building a social media app in Flash (AS3) that is tightly integrated with Facebook--all user accounts are handled via Facebook connect, and all Facebook connectivity is handled via a combination of the Javascript and AS3 Facebook APIs. I'm using Codeigniter on the backend for server-side data management, which includes tracking user actions and data on the site through URLRequests from Flash.

My problem is that I don't know how to prevent spoofing of the server requests that are made from Flash; in theory, malicious users could track the calls that Flash is making to my server and reproduce them in a way that (for example) inserts garbage data and associates it with a given Facebook user ID in my database. All authentication is taking place on the client side (via the Facebook JS API) with no intervention by the server, so I'm having a hard time figuring out exactly how to secure calls between Flash and the server in a manner that ensures that users have to be authenticated with Facebook in order to make them.

One possibility I considered is using an encryption scheme known by the client and server to pass Facebook UIDs back and forth, which would certainly be better than passing them in the clear. However, it would only take one enterprising hacker with enough time/patience to break the scheme (or decompile the swf) to screw everything up.

Anyway, I may be overthinking this, but it seems like an important point and I'm really not sure of the best approach. Any feedback would be greatly appreciated!

I just spent a ton of time trying to figure this one out! I know this is an old question, but hopefully it will be useful to you still or at least someone else.

The basic problem is just like you said. If you are doing client-side authentication, but you want to do some user-specific server side operations, you need to security authenticate the user on your system as well. Ideally, you would want to avoid having them log on again with a password and such because that would be a horrible user experience. So one might be tempted to just send over the UID and log them on that way. Unfortunately, there's an obvious security risk to this. As you point out, anyone can pass the UID which is generally public knowledge and log on as someone they are not.

The solution to this problem is to use information stored in a cookie that the facebook api drops after a user successfully logs on. The information in the cookie contains the user information in it as well as a unique signature data. If the server grabs the contents of the cookie, and you process it correctly, out should pop a secret code. This secret code should match, exactly, your application secret code which only you and facebook know. If it does, then you know the cookie (and thus the user) is legit. If it is not the same, then you know someone is trying something funny.

For more information, you might consider checking out these pages: PHP - https://developers.facebook.com/docs/guides/web/#personalization Ruby - http://vombat.tumblr.com/post/835536630/ruby-version-of-facebooks-get-facebook-cookie-in-php

I should also note that similar approaches for both LinkedIn and Twitter exist.

This is a legitimate concern because you are in violation of CWE-603: Use of Client-Side Authentication . Encryption cannot help this station because a malicious client will be able to obtain any secret.

The best approach for verifying a client is to have the flash app send information about the session back to the server. The server then has to connect back to facebook using something like the php api such that the server can verify that the client has a valid session with facebook. This should be done once per login, and then you can issue a session id (cookie) to the flash app to access your data store for that user.

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM