I got an email today saying:
In every case that we have examined, this information is passed via the HTTP Referer Header by the user's browser. This can happen when using our legacy authentication system and including , or content from 3rd parties in the page that receives authentication data from Facebook. Our legacy mechanism passes authentication information in the URL query string which, if handled incorrectly, can be passed to 3rd parties by the browser. Our current OAuth 2.0 authentication system, released over a year ago, passes this information in the URL fragment, which is not passed to 3rd parties by the browser.
I'm a bit confused as the way I have integrated is using the PHP API using a similar response as per the example.php file:
https://github.com/facebook/php-sdk
Here is how I'm making the request:
$facebook = new Facebook(array(
'appId' => FACEBOOKAPPID,
'secret' => FACEBOOKSECRET,
'cookie' => false,
));
$fb_session = $facebook->getSession();
$fb_me = null;
// Session based API call.
if ($fb_session) {
try {
$fb_uid = $facebook->getUser();
$fb_me = $facebook->api('/me');
$fb_me['photo'] = 'http://graph.facebook.com/'.$fb_uid.'/picture?type=large';
$_SESSION['register_api'] = 1;
$_SESSION['register_api_details'] = $fb_me;
$_SESSION['register_api_user_id'] = $fb_uid;
header_redirect(SITEURL.'/register');
} catch (FacebookApiException $e) {
error_log($e);
}
}
else{
# LOGIN URL FOR FACE BOOK & request extra stuff
$fb_login_url = $facebook->getLoginUrl(array('req_perms'=>'email,user_about_me,user_birthday,user_website'));
header_redirect($fb_login_url);
}
Everything is working fine, but I don't understand what I am doing wrong. As far as I was aware, I am using OAuth.
It turns out that they were just about to release a new version of the API which solved this problem.