In the last article “PHP SDK Demystified – A Closer Look at the getSession() Call“, we have learnt how the PHP SDK will try to build / load the session.
At that time, we have touched on the “Signed Request”. In you want to know more about signed request, take a look at Facebook documentation here.
Extracting from that doc,
When you are writing a Facebook canvas application, you often need information from Facebook such as which user is logged in to your application or whose profile the user is viewing. Facebook sends you this information as a JSON object encoded in the signed_request parameter as follows:
A JSON array containing the locale and country of the current user. The locale and country are always available
The Facebook user identifier (UID) of the current user. The user_id is only available after the user authorizes your application.
Contains the Page ID if your app is loaded in a Page tab. Only available if your app is loaded in a Page tab.
The mechanism used to sign the request. Always available.
The Unix timestamp when the request was signed. Always available.
An opaque string that you can pass to the Graph API or the Legacy REST API. Available when the user has authorized your application.
The Unix timestamp when the oauth_token expires. Available when the user has authorized your application.
If the user has not yet authorized your application, your application will only be passed a subset of the above information. If the signed_request does not contain the user_id parameter, you should prompt the user to authorize your app. You can use one of several different ways to handle authorization ranging from the Login Button to manually performing the OAuth2.0 flow your Web server.
The sample PHP code there is actually part of the PHP SDK!
After reading that documentation, open the source code of the php SDK and take go through the function getSignedRequest() and parseSignedRequest().