All geek questions in one place

Is Facebook Login Safe?

I want people to log in using Facebook login. but, I wonder if this is enough enough, or am I just doing it wrong.

What I get after a successful login is the user data, with facebook_id, which I paste into the DB transferred using JavaScript to the server through the handler, since I use asp.net.

But, I think that with the help of malicious use, you can change this data. and embed garbage on the server, or even embed different facebook_id.

So I wonder if Facebook is enough to log in, or that I am doing it wrong. I thought of another option for transferring client data to the server - by sending the server back with hidden text fields runat = server, but malicious use can still change these text fields. I read here about the possibility of allowing users to add a password to their Facebook username, but that sounds a bit unfriendly.

I'm right? is there a way to make this safer? Is there a cookie that Facebook puts on a client browser that I can read from the server? as if many websites use this โ€œFacebook loginโ€, there may be another way that I didnโ€™t think about ...

+6
source share
3 answers

Pass the access token to the server (or check it using Facebook cookie sets) and then start the server https://graph.facebook.com/me? access_token = ... and get the Facebook id this way. You can get access_token by calling FB.getLoginStatus from javascript sdk.

+4
source

You can use the oauth command to transfer this operation to the server.

Take a look at this blog post:

http://you.arenot.me/2010/09/28/facebooks-graph-api-and-asp-net/

0
source

It is important to make an independent call from the server, especially if you save your facebook user ID in a database or something like that. So you know if this is true.

First, after calling the FB.init function in the Facebook Javascript SDK, you want to get the user access token and facebook user ID through the Javascript SDK, like this:

FB.getLoginStatus(function (response) { if (response.status === 'connected') { var token = response.authResponse.accessToken; var facebookUserID = response.authResponse.userID; } });

Secondly, after you have received the user id and facebook user, you will want to transfer these variables to your server. If you use WCF or some other web service with JSON.NET , you can create a method such as:

  [WebInvokeAttribute(BodyStyle = WebMessageBodyStyle.WrappedRequest, RequestFormat = WebMessageFormat.Json, ResponseFormat = WebMessageFormat.Json)] [OperationContractAttribute] public Stream AuthenticateFacebook(string facebookUserId, string token) { var json = new WebClient().DownloadString(string.Format("https://graph.facebook.com/me?access_token={0}", token)); JObject parsedJson = JObject.Parse(json); //Ensure that there isn't a random Facebook server error if (parsedJson["error"] != null) { throw new FaultException("Error parsing Facebook token."); } //Ensure the facebook user ID passed in via the client matches the one received from the server. if (Convert.ToString(parsedJson["id"]) != facebookUserId) { throw new FaultException("Facebook login ids do not match. Something fishy is going on..."); } //Now you know you have a valid facebook login id. Do your database stuff or whatever else here. }

You have now confirmed that the user is who they say.

0
source

Source: https://habr.com/ru/post/907648/

More articles:


All Articles