2

I'm currently trying to implement Facebook Authentication into my website, but I'm seeing many major security holes. The only way I can communicate with the server about the user who just authenticated my app is by using some kind of POST or GET request to another page, which matches the facebook ID with a database filled with users facebook IDs and site user ids. An attacker can just obtain the faceboom ID of a user, and send an artificial request to the server, getting them access to the account. What is a more secure way of implementing the Facebook Authentication Javascript SDK with server-side communication.

Wiz
  • 4,595
  • 9
  • 34
  • 51

2 Answers2

0

I think this question is best repeated as: How can I best secure my login system when only sending a facebook id to log someone in? Is that correct?

I think the problem is just the same as normal log in. You need 2 fields at least to properly confirm a user's identity. Why not select their email, their id, and I believe their access token. This access token should be passed straight from facebook. You can then use this token server side and ask facebook if the token is valid.

Check this out: https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/

Also: How to extend access token validity since offline_access deprecation

Community
  • 1
  • 1
Parris
  • 17,833
  • 17
  • 90
  • 133
  • BTW access tokens change frequently so you should keep it up to date. I think you can just receive it client side, check it server side, then update it in your DB. Hashing it should also be useful in case your DB gets out into the wild some how. In that case, if it is hashed then people wont even need to worry about logging out of facebook to invalidate their access tokens. – Parris Aug 17 '12 at 00:43
  • Why do I have to store it in a DB? Couldn't I just check with Facebook if the access token is valid? – Wiz Aug 17 '12 at 00:59
  • But why would you want to store the access token? What advantages are there? – Wiz Aug 17 '12 at 01:09
  • Well, it would just save you the trip to FB and back if there is a match. It is faster some of the time, which means the user experience is better. You could have some condition that says only bother checking to see if the db token matches if the token was saved in the DB last within some period of time (2 days? however long facebook says the tokens will last). If it doesn't match then check fb. There are however other conditions that cause tokens to become invalidated, but in that case you just ask facebook. You can consider this a form of caching. – Parris Aug 17 '12 at 01:16
0

When the user authenticates on your server, you are also given the access_token of the user as well as their id. You can then pass the access_token to your server and do a request to Facebook using the access_token to make sure it is valid.

Kernel James
  • 3,752
  • 25
  • 32