Get user ID on every app server request

Question

I'm developing a FB app that is loaded in a FB canvas. I'm using Java with Spring as server side technology. On app load, FB requests with POST the URL that I have configured in the app account in FB, including signed_request param for user authorization. This way I can get the logged in user ID securely.

I wonder what is the best way to get the logged in user ID on each call from the HTML inside the canvas to my app web server (right after the signed_request call)?

Thanks!

Answer 1

I would do it as follows:

1. Authenticate the user once and get the signed_request param.
2. Store this in an internal map / database against the user.
3. Associate a cryptographic nonce with every outgoing response which would come back along with the request and can be used to find the correct user.
4. All this happens in servlet filter (or its equivalent in Spring MVC if there is one) as this is a cross-cutting concern for all the incoming requests and outgoing responses.

My two cents!