5

I'm using a before_filter to detect the signed_request query string Facebook generates when a user is referred to a canvas app.

Then, I set session[:canvas] = true and test for that when I need different app logic based on whether the user is in the canvas or on the native browser app. The problem is that if the user, for any reason, leaves the canvas and navigates to the browser-based app, the session[:canvas] variable is still set to true.

Is there a better way to detect the difference between the canvas and the native browser app?

Slick23
  • 5,827
  • 10
  • 41
  • 72

3 Answers3

4

I personally like to use an "alias" url for the Facebook app, e.g. use fb.mysite.com instead of www.mysite.com in the app settings and set things up so that the two domains point to the same place. Or something similar can be done with directories, e.g. www.mysite.com/fb/ pointing to the same place as www.mysite.com/ but giving an easy way for the code to determine if it's a direct access or from an app.

Using a session can work too, but you have to add an additional javascript check in the case you are currently in "app mode" (canvas==true). The javascript just checks to see if the page is inside an iframe, and if it is not then it redirects to something like www.mysite.com/thispage?app=0. Your pages should check for the app=0 parameter and clear the session if present (or set canvas=false). This way, if a user starts out inside Facebook but then visits your site directly, things automatically get adjusted correctly.

Floyd Wilburn
  • 1,852
  • 2
  • 13
  • 6
  • Yeah, I was just thinking about that, actually. I'm already pulling in the heroku url for the canvas (piggybacking off their SSL), but adding a consistent paramater will help. – Slick23 Dec 01 '11 at 17:06
0

Instead of storing this information at the session, check for the existence of the signed_request parameter, if there is no parameter, it possibly means the user is not inside the facebook app anymore.

Maurício Linhares
  • 39,901
  • 14
  • 121
  • 158
  • 1
    The signed_request is only generated on the initial landing on the canvas. It won't be there if the user is navigating within the canvas. – Slick23 Nov 28 '11 at 03:24
0

I might be completely wrong, but doesn't Facebook access your canvas content by a POST instead of a GET request? Wouldn't that be the easiest way to distinguish where the request came from?

Javier
  • 2,491
  • 4
  • 36
  • 57
  • It does actually, but the Rails app will also access some parts as POST, too, so how would you distinguish between when it's the rails app and the canvas? – Slick23 Dec 20 '11 at 17:42
  • Well, you're free to define your POST methods in your Rails App. In other words: It should be rather easy to make sure certain POST methods are just used by Facebook and not by anything else in your app (e.g. a form). – Javier Apr 20 '12 at 16:24