From Facebook Developer Wiki

Ok, we know how to get an authenticated user in the client side. Now how can we verify the user identity in the server side? The server can get the user id in a cookie but cannot assume its authenticity before some kind of verification. Should the server connect to facebook to check that the session key in the cookies matches the user id, using user.getinfo for instance?

Try using Users.getLoggedInUser instead. If you get back a user ID, then the session is valid. Facebook will validate the session by checking its signature parameter, which can only be correctly generated using your app secret, which is known only by your application and Facebook.

-- Pete (User:563683308)

Umm... I just tried this up (November 2008) and it looks like "http://www.facebook.com/js/api_lib/FacebookApi.debug.js" no loger implements FB. ciao Andrea