Why the Facebook PHP SDK does not persis Facebook signed request in cookies?

Today, I have seen the following question asked in the StackOverflow,

Why does the Facebook PHP SDK not set cookies?

Facebook’s PHP SDK can decode signed_requests that are passed to the app via POST, or stored in a cookie, but the SDK itself does not actually set a cookie for the signed_request to be persisted.

Instead, the PHP SDK defers cookie setting to the Javascript SDK, an approach that has issues. (Safari and other browsers by default do not allow the Javascript SDK to set cookies for canvas apps.)

I have created my app so that it sets a cookie containing the signed_request but am interested in why the PHP SDK does not handle this? I’m wondering if it is perhaps for security reasons, but I can’t possibly see how.

Although storing the signed request in cookie can be done technically, we may understand the situation better by answering the following questions:

  • Why we need to store the signed request in cookies
  • Who should be responsible for doing this

While a user access our canvas app, Facebook will send us a signed request.  This tells us useful information about the request.  And if we are interested in any of the information within, I think it should be handled at the time of receiving the request. Different apps may have different requirements on the handling.  Besides, it is very likely that app will build a Facebook session at that time (if it does care about the information in request) Therefore, information in the signed request should be available afterwards.

Besides, as the PHP SDK code runs at server side, it does not have to care about what the clients are as the PHP SDK is to send/receive requests to/from Facebook server directly. As a result, I would say storing the signed request in cookies so that client can have access to it is outside the scope of the PHP SDK.

That’s is my thought…. Of course, there may be apps that needs to store the signed request in cookies because of their own needs.  In such a case, I think we can simply extend the PHP SDK!

About takwing

A moderator of the Official Facebook Developer Forum. http://www.takwing.idv.hk/tech/fb_dev/index.php
This entry was posted in PHP SDK Demystified and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *