Potentially Breaking Change for Canvas Applications (Jan 2010)

Jan 9, 2010 at 12:38 PM

Hi,

Just saw the entry on the Facebook Developer Update page.

Sounds like it will affect the facebook developer toolkit in a major "show stopping" way, or am I wrong? I couldn't really understand how the auth_token works in the code.

 

 

Potentially Breaking Change for Canvas Applications
08 January 2010 12:04
This change has the potential to affect canvas applications only. It doesn't affect Facebook Connect sites, desktop applications, or any type of mobile applications.
Historically, when a user who hadn't authorized an application first visited that application's canvas page, the user would typically get redirected to tos.php. After the user authorized the application, Facebook would redirect the user back to the application's canvas callback URL and include a GET parameter named "auth_token." Over time various fb_sig parameters were also POSTed to the canvas callback URL, so eventually auth_token became superfluous. After the January 12, 2010, weekly push, we will stop passing auth_token to the canvas callback URL when redirecting a user after authorization. 
As long as your application isn't using the auth_token for any purpose (for example, using it for logging or analytics), you shouldn't experience any problems. However, if you rely on this parameter under any circumstances, there is a potential for problems. Please make sure your canvas applications never rely on being passed this parameter.

Potentially Breaking Change for Canvas Applications

08 January 2010 12:04

This change has the potential to affect canvas applications only. It doesn't affect Facebook Connect sites, desktop applications, or any type of mobile applications.

Historically, when a user who hadn't authorized an application first visited that application's canvas page, the user would typically get redirected to tos.php. After the user authorized the application, Facebook would redirect the user back to the application's canvas callback URL and include a GET parameter named "auth_token." Over time various fb_sig parameters were also POSTed to the canvas callback URL, so eventually auth_token became superfluous. After the January 12, 2010, weekly push, we will stop passing auth_token to the canvas callback URL when redirecting a user after authorization. 

As long as your application isn't using the auth_token for any purpose (for example, using it for logging or analytics), you shouldn't experience any problems. However, if you rely on this parameter under any circumstances, there is a potential for problems. Please make sure your canvas applications never rely on being passed this parameter.

 

Jan 9, 2010 at 11:55 PM

Its all good. You shouldn't be using auth_token anyway. Facebook kept auth_token just for compatibility with older apps and now they officially retiring it.

Jan 10, 2010 at 12:57 PM
Edited Jan 10, 2010 at 12:59 PM

Thats what i'm hoping is the case. I'm not using auth_token in my apps, but the base code in CanvasSession.cs still is:

 

 

Exerpt from CanvasSession.cs:

 

if (!string.IsNullOrEmpty(sessionKeyFromRequest))

            {

                SetSessionProperties(

                    sessionKeyFromRequest,

                    long.Parse(inProfileTab ? HttpContext.Current.Request[QueryParameters.ProfileUser] : HttpContext.Current.Request[QueryParameters.User]),

                    DateHelper.ConvertUnixTimeToDateTime(long.Parse(HttpContext.Current.Request[QueryParameters.Expires])));

            }

            else if (HaveValidCachedSession(cachedSessionInfo, authToken, HttpContext.Current.Request[QueryParameters.ApiKey]))

            {

                SetSessionProperties(cachedSessionInfo.SessionKey, cachedSessionInfo.UserId, cachedSessionInfo.ExpiryTime);

            }

            else if (!string.IsNullOrEmpty(authToken))

            {

                session_info sessionInfo = new Api(this).Auth.GetSession(authToken);

                SetSessionProperties(sessionInfo.session_key, sessionInfo.uid, DateHelper.ConvertUnixTimeToDateTime(sessionInfo.expires));

            }

Jan 11, 2010 at 2:37 AM

Interesting. I myself don't use CanvasSession and I am pretty confident my app will not be affected, but some other apps might be, hard to tell without digging deep into FDT source. On more general note, state of support for FDT offers some cause for concern, if I had a serious buisness intrest tied to Facebook I would not rely on FDT in its current state.