Secure PostRemove.aspx?

Jan 15, 2008 at 10:44 PM
Edited Jan 15, 2008 at 10:49 PM
How do you implement the post remove script securely? It doesn't work if it inherits from my master page...

I know I can just get the user's id using Request.Form("fb_sig_user"): but then couldn't anyone pass someone's userid to my remove page? I have to implement the verification that the post is coming from facebook on this page and I'm a little lost.

this is the code in my PostRemove.aspx:


<%@ Page Language="VB" %>
<script runat="server">

Dim objDB As New DBSqlConnection(databasename, True)
Dim objCmd As SqlCommand
Dim strSQL As String

Private _fbService As Facebook.Components.FacebookService = New Facebook.Components.FacebookService()

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
_fbService.ApplicationKey = ConfigurationManager.AppSettings("FACEBOOK_API_KEY")
_fbService.Secret = ConfigurationManager.AppSettings("FACEBOOK_SECRET")

Dim strUserId As String
'strUserId = _fbService.GetLoggedInUser() 'DOES NOT WORK
'strUserId = _fbService.UserId ' DOES NOT WORK
strUserId = Request.Form("fb_sig_user") ' THIS WORKS BUT IS IT SECURE?

If Request.Form("fb_sig_uninstall") = "1" Then
objDB.Connect()
Try
strSQL = "DELETE FROM Facebook_Users WHERE (facebook_uid = @facebook_uid)"
objCmd = New SqlCommand(strSQL, objDB.SqlConn)
objCmd.Parameters.Add("facebook_uid", SqlDbType.VarChar, 20).Value = strUserId
objCmd.ExecuteNonQuery()
Catch ex As Exception
'ERROR
End Try
objDB.Disconnect()
End If
End Sub
</script>





Jan 16, 2008 at 10:07 PM
Edited Jan 16, 2008 at 10:08 PM
I haven't made a remove page for my app yet, but it's on my radar. I was planning on generally following the guidelines they have here for checking the signature from facebook to see if it's a valid request: http://wiki.developers.facebook.com/index.php/Post-Remove_URL
Jan 17, 2008 at 2:27 PM


mharper wrote:
I haven't made a remove page for my app yet, but it's on my radar. I was planning on generally following the guidelines they have here for checking the signature from facebook to see if it's a valid request: http://wiki.developers.facebook.com/index.php/Post-Remove_URL


Yes, that is what I was attempting. It doesn't seem like I can use Facebook.Components.FacebookService to validate. Can you post your code if you get it working?
Jan 18, 2008 at 9:54 PM
You can use the fbsiguser, fbsigsessionkey and fbsigapikey to look up which user is uninstalling your application.

All those are secret, meaning, only facebook and you are able to know them since they are provided when they logged in/added your application.

Jul 3, 2008 at 6:51 AM
If anybody's still reading this post, I've posted some code that does this (it's mostly out of the toolkit, but refactored slightly for ease of use on post-remove):
http://www.itu.dk/~friism/blog/?p=59
Mar 25, 2010 at 4:20 AM

You can also use this.Api.Users.IsAppUser to check if user authorize you application and this.Api.Pages.IsAppAdded to check if the page has added the application.