Today, I have seen the following question asked in the StackOverflow,
Why does the Facebook PHP SDK not set cookies?
Facebook’s PHP SDK can decode signed_requests that are passed to the app via POST, or stored in a cookie, but the SDK itself does not actually set a cookie for the signed_request to be persisted.
I have created my app so that it sets a cookie containing the signed_request but am interested in why the PHP SDK does not handle this? I’m wondering if it is perhaps for security reasons, but I can’t possibly see how.
Although storing the signed request in cookie can be done technically, we may understand the situation better by answering the following questions:
- Why we need to store the signed request in cookies
- Who should be responsible for doing this
While a user access our canvas app, Facebook will send us a signed request. This tells us useful information about the request. And if we are interested in any of the information within, I think it should be handled at the time of receiving the request. Different apps may have different requirements on the handling. Besides, it is very likely that app will build a Facebook session at that time (if it does care about the information in request) Therefore, information in the signed request should be available afterwards.
Besides, as the PHP SDK code runs at server side, it does not have to care about what the clients are as the PHP SDK is to send/receive requests to/from Facebook server directly. As a result, I would say storing the signed request in cookies so that client can have access to it is outside the scope of the PHP SDK.
That’s is my thought…. Of course, there may be apps that needs to store the signed request in cookies because of their own needs. In such a case, I think we can simply extend the PHP SDK!