1

I just want to ask a question about Facebook "signed_request" thing.

I'm using Zend Framework for my app. The thing is; when user first authorizes my app OR enters the app from apps.facebook.com/my_app/ URL, I'm successfully retrieving signed_request.

Actually, I'm retrieving it from apps.facebook.com/my_app/index.php (Thanks to this question)

OK, app has been started, I received signed request, stored it in user session. However, when user clicks anywhere in my app, $facebook object is created again but this time, it has no signed_request.

According to this topic on Codeplex, I can expect that signed_request will come in this second request of user:

Instead of using the cookie you should use the signed request value that Facebook POSTS to your page on each request.

On the other hand, Facebook documentation says:

A signed_request is passed to Apps on Facebook.com when they are loaded into the Facebook environment

Now, does Facebook sends this request on each call or is there a technical problem on my app? Could it be an IFrame issue? When user click "categories", page is loading in same iframe and URL on address bar does not change.

Mogsdad
  • 44,709
  • 21
  • 151
  • 275
Emre Can Geçer
  • 395
  • 3
  • 4
  • 14

1 Answers1

3

I think it's basically a difference of definition on what "each request" means. Facebook will POST signed_request to your page only when the containing iframe is first constructed, i.e. when the user goes directly to apps.facebook.com/your_app/somepage.php as their browser location. If the user then follows a "normal" link on your page that results in only a reload of the iframe and not the entire page, no signed_request will be sent. If it helps to think of it this way, signed_request is sent when the user first loads your app, but not on each subsequent request. The reason there is some confusion about this is that many coders have taken a hackish shortcut by making all their links use target=_top and pointing them at apps.facebook.com/your_app/yourpage.php rather than www.yourdomain.com/yourpage.php. Since that results in the entire page being re-constructed each time, it does indeed have the effect of sending signed_request with each page fetch. But in normal (and recommended) operation, you'll need to count on signed_request only being sent once.

Floyd Wilburn
  • 1,852
  • 2
  • 13
  • 6