Search code examples
facebook-php-sdksigned

Remove the app_data from the signed request

When i call my fb-app with a GET request, like "?app_data=1", the variable is in the signed request. Ok, so far. But, when i click to another link in my fb-app, the app_data is still in the signed request. My application reactes on it, but i don't need it again.

How can i remove the app_data in the signed request? Has anyone a suggestion for this problem?

I use the PHP and JS SDK.

$aSignedRequest = $_REQUEST['signed_request'];
if(isset($aSignedRequest))
{
    $sSignedRequest = $aSignedRequest['signed_request'];
    list($sEncodedSig, $sPayload) = explode('.', $sSignedRequest, 2);

    // decode the data
    $aData = json_decode(base64_decode(strtr($sPayload, '-_', '+/')), true);
    $iContestId = $aData['app_data'];
}
Solution

  • Here is the solution:

    unset($aData['app_data']);
$sData = json_encode($aData);
$sPayload = base64_encode($sData);
$sEncodedSig = hash_hmac('sha256', $sPayload, '<<fb app-secret>>', $raw = true);
$sSignedRequest = base64_encode($sEncodedSig).'.'.$sPayload;
$_REQUEST['signed_request'] = $sSignedRequest;