I have some problems with the implementation of my first application with "Login to Facebook". The user MUST be registered on my system, but he can associate an FB account with him. When the FB account is linked, I just save the user's email address from facebook.
When the user clicks "login with facebook" (given that he is already registered with facebook), I simply look at his email profile and send it to the server to check if the user has an email associated with him. If such a user exists, I create a session for this user. This is the code to capture the userβs email and send it to the server:
function login() { FB.api('/me', function (user) { $.ajax( { url: "my_ajax_page.php", type: "POST", data: {controller: "MyController", action: "LinkEmail", fbmail: user.email}, success: function (response) { if(response == 1) { alert("Success!"); } }, error: function () { alert("Error"); } } ); } ); }
There is a big security flaw with this approach, anyone can create a script to send emails to my system, and this βwrongβ email will be associated with the current registered user account:
function hacking() { $.ajax( { url: "my_ajax_page.php", type: "POST", data: {controller: "MyController", action: "LinkEmail", fbmail: ' someonemail@mail.com '}, success: function (response) { if(response == 1) { alert("Success!"); } }, error: function () { alert("Error"); } } }
What approach can be used to secure login with FB?
source share