From Facebook Developer Wiki

Can you add some information about how iframe apps can verify request signatures? It seems that only the initial request contains fb_sig_ URL params. All subsequent requests (i.e. user clicks within the app frame) must verify the signature using cookies like Connect.

Is the above correct? If so, are there any pitfalls? I'm having a lot of trouble getting it to work correctly.

Thanks.