Your callback page and you

From Facebook Developer Wiki

(Redirected from Your Callback Page And You)
Jump to: navigation, search
This article is being flagged for cleanup.
Reason: This page could probably use some cleaning up. - The Dept. of Redundancy Department - Discuss


The callback page is the page Facebook calls whenever it needs to notify your app of something or get the content of the canvas page for your app. (Not all content is retrieved this way. To put content on profile pages, for example, you push it to Facebook rather than having it pulled via callback. See Basic application architecture for more.)

[edit] Canvas Pages & Callback Pages

Note that the user can be either logged into facebook or not, and even if a user is logged in, he/she might have authorized the app, or not. As an app programmer, you can allow the user to authorize later by holding back on the $facebook->require_login() call. So, technically, three states are possible:

  1. The user is not logged in to Facebook.
  2. The user is logged in to Facebook, but has not "granted access" to your application.
  3. The user is logged in to Facebook, and has "granted access" to your application.

The variables passed to the callback page when served on the canvas page in these three states correspondingly are:

The user is not logged in to Facebook.

  • fb_sig_in_canvas => 1 [1/0, is this a request for a canvas page?]
  • fb_sig_request_method => GET
  • fb_sig_position_fix => 1
  • fb_sig_locale => en_US
  • fb_sig_in_new_facebook => 1
  • fb_sig_time => 124....34.8315
  • fb_sig_logged_out_facebook => 1
  • fb_sig_added => 0
  • fb_sig_api_key => a8..API_KEY_OF_APP...b2
  • fb_sig_app_id => 7..THE_APP_ID..9
  • fb_sig => 98...SOME_RANDOM_SIG...19

The user is logged in to Facebook, but has not "granted access" to your application.

  • fb_sig_in_canvas => 1 [1/0, is this a request for a canvas page?]
  • fb_sig_request_method => GET
  • fb_sig_position_fix => 1
  • fb_sig_locale => en_US
  • fb_sig_in_new_facebook => 1
  • fb_sig_time => 123....56.5721
  • fb_sig_added => 0
  • fb_sig_api_key => a8..API_KEY_OF_APP...b2
  • fb_sig_app_id => 7..THE_APP_ID..9
  • fb_sig => 98...SOME_RANDOM_SIG...19

The user is logged in to Facebook, and has "granted access" to your application.

  • fb_sig_in_canvas => 1 [1/0, is this a request for a canvas page?]
  • fb_sig_request_method => GET
  • fb_sig_friends => here, will, be, a, comma, separated, list, of, userids, of, the, authorizing, user
  • fb_sig_position_fix => 1
  • fb_sig_locale => en_US
  • fb_sig_in_new_facebook => 1
  • fb_sig_time => 12....72.9749
  • fb_sig_added => 1
  • fb_sig_profile_update_time => 12...95
  • fb_sig_expires => 12....00 [is 0 if the session key contained in fb_sig_session_key never expires]
  • fb_sig_user => USERID_OF_AUTHORING_USER..2101
  • fb_sig_session_key => 2.2 ...SESSION_KEY....2101
  • fb_sig_ext_perms => auto_publish_recent_activity
  • fb_sig_api_key => a8..API_KEY_OF_APP...b2
  • fb_sig_app_id => 7..THE_APP_ID..9
  • fb_sig => 98...SOME_RANDOM_SIG...19

NOTES:

  • See Bug# 107. On some occassions you do not get these fields when the user has logged on to Facebook even though they may have "granted access" to your app when they installed it.
  • For fb_sig: In order to verify a Facebook request to your canvas page, you need to remove fb_sig_ from the rest of the keys before hashing them to verify against the signature contained in fb_sig.
  • If you use the callback as a canvas (as you likely will), make sure to append a slash to the end of it, as the remainder of the URL will be appended right after the canvas to form your iframe URL.
  • When any user installs your app for the first time, the following parameters are passed to your callback page via GET:
    • installed=1
    • auth_token=(some value)

[edit] AJAX

AJAX calls from inside canvas pages include the same sig params as above, with the exception of fb_sig_in_canvas not being present. Instead fb_sig_is_ajax will be set.

For Iframe apps, any AJAX calls made from within the iframe while being in canvas mode will not pass these variables automatically, and this may present the programmer with validation and authorization issues.

[edit] IP Addresses

In a canvas page Facebook will pass the calling user's IP address to you in an additional HTTP header called X-FB-USER-REMOTE-ADDR.

Retrieved from "http://wiki.developers.facebook.com/index.php/Your_callback_page_and_you"
reference