Using the Facebook Login button for Website sign-in is nice and dandy with the current Facebook Javascript SDK. However scouring Facebook’s documentation failed to shed any light on how to do a verification check on FB’s response.

The Login button itself triggers 3 types of responses: “connected”, “notConnected” and “unknown”. More about their meaning can be found in Facebook’s documentation.

What I’m interested in is the response.session object, which looks like this:

To match the sig value, I need to do an md5 over all fields with values ordered alphabetically by field name and concatenate my Facebook APP Secret at the end.

So for instance by passing the response to PHP, I’d verify it with:

1
2
3
4
5
6
7
8
9
10
11
12
...
$compSig = md5(
                "access_token={$_POST['access_token']}".
                "expires={$_POST['expires']}".
                "secret={$_POST['secret']}".
                "session_key={$_POST['session_key']}".
                "uid={$_POST['uid']}".
                FB_APP_SECRET
                );
if($compSig != $_POST['sig']) {
    // Handle sig mismatch
}