How many people use FDT 3 to build IFRAME apps?

Feb 11, 2010 at 7:35 PM

I am wondering how many people out there are using FDT to build IFRAME apps?  I ask because after struggling such a long time to migrate a 2.0 framework site to 3.01, it really feels like this thing has not been tested well.  I can't imagine many people are using FDT 3.01 "as is" for anything more than a very rudimentary app without having to change some of the source code to get it to work.  Authentication seems to be totally screwed up and unreliable.   The discussion board seems littered with slightly different problems that are all related in some way to this.

I do have empathy for the developers, since Facebook itself is such an utter nightmware to code for...    but I was really hoping that with Microsoft's renewed interest in this project that it'd be more usable.  Perhaps by its very nature anything you build for Facebook will always feels like a hack.


Feb 12, 2010 at 4:52 PM

Microsoft's interest in this library seems very very low.  There has been zero engagement from the developers or Microsoft since 3.0 launched in November.  No bug fixes, no discussion forum posts, no responses to "Issue Tracker" items, no patches...they have dropped off the face of the earth and we are left to support it ourselves as "the community".

With that said, I have an Iframe app with a couple thousand monthly active users I've built on 3.01 FDT.

Feb 12, 2010 at 5:50 PM

It's sad that Microsoft lost interest..  some of my clients found their support reassuring.  But good that there are other people out there with successfully deployed IFRAME apps.  

I've solved the one problem that was holding back my migration from 2 to 3 -- redirects from within the app (Response.Redirect) would always result in weird invalid API errors or the app breaking out of the Facebook chrome (not an uncommon problem).  Redirects worked fine in v2 and I'm not sure what changed.   I basically had to add fb_sig_session_key, fb_sig_user, and fb_sig_expires to all my redirects (not an uncommon solution).

Mar 4, 2010 at 11:22 AM
Edited Mar 5, 2010 at 10:13 AM

great post.  this got me up and working! 



Mar 9, 2010 at 9:12 AM
Edited Mar 9, 2010 at 9:13 AM

Hello.  Well, I thought i had this all working, but I am stumped on one other thing.  Currently my page has a iframe embedded within it.  On the outside, I have a header, for which i append all the parameters specified above which loads the src attribute of the iframe.  It seems that I can get invalid sessions within my embedded iframe after a while.  THis is especially noticable when i invalidate the cookies by logging into IE and Firefox, while still using the application in both browsers, while never getting redirected back to the login, on the invalid session.


Let me reiterate once page looks like this...

Facebook Canvas

  --   My Main Page (Default.aspx)

     ---- My Embedded pages contained within an iframe (Needs valid session)

          this frame is loaded with a page.aspx?fb_sig_sesison=""&...

This session seems to get invalid, but I'm never forced to login again.  Both pages require login, default and the embedded iframe.





Mar 12, 2010 at 1:58 AM

Hi ronmichael,

I work for a company who at the moment predominately make facebook applications. We make IFrame application using the FDT, and have recently transitioned to v3.

Given the annoying decision of the original release to not cache the session info by default, (and a few other things), I have a project setup with the source code for the FDT, and we make changes as necessary - including a fix for this which I pulled from one of the (supposedly) in-progress issues. There seems to be work being done on different issues, but somehow this whole project feels somewhat missing in moderation/developer leadership.

I have also made some other changes to help with our work, as well as developing my own library to go hand-in-hand with the FDT for our development.

If you would like I can send our updated toolkit?



PS. I have messaged the developer who recently uploaded 3.01, but my attempt to contact the team of this project so I can work on it officially have not been responded to. >.<

Mar 12, 2010 at 2:01 AM

I am dying to see how you handle sessions.

Mar 15, 2010 at 7:51 AM
Edited Mar 15, 2010 at 7:54 AM

Here is a file with the changes, as taken from Changeset 39697 :


To use this, you will need to open the FDT source code solution yourself, and then replace then necessary file.

Given I have made some other changes as well, which may have an impact on compilation, including a small change for the authtoken no longer being sent on every request - but still allows for authtoken as it IS sent in the first request after a user allows the application (or logs in if they weren't already).

Of particular interest to you will be the LoadFromRequest() function. ;-)

Mar 16, 2010 at 12:08 AM

My issue is.  I have an embedded iframe within my page.  Thus, I'm sending relative links from my "header" to my iframe. 

I'm not sure where this goes wrong. 

I just added in your ValidCacheSession check, and I've added a Global.asax to handle a redirect in the Response.

Does anyone know how to handle this correctly?

Also, is there a ways to check for a valid session with XFBML?



Mar 16, 2010 at 3:08 AM

Your inner IFrame likely has a seperate ASP session from the outer one - if you have this setup with the default ASP.Net session handling where the session ID is kept in a cookie.

You should, however, look into using a cookieless mode, as cookies do not work properly inside third party IFrames in Safari - yes, this means IFrame application have lot's of problems in Safari because of such. If you change to cookieless (do a google search for more details!), then you end up with the session ID in the URL.

You may be able to form a similar URL for the inner IFrame which includes this session ID, and thus will attach to the same ASP session.

Mar 16, 2010 at 3:53 AM

we actually decided to do something different...and handle users at the server level based on their facebook ID.  So different sessions between top and bottom iframe don't matter anymore. 

I currently have a couple of different problem.  Eventually, I can get an Invalid Session which throws an exception int he FDT.  I was thinking to currently write a catch all which in case of anything weird in the toolkit, refresh the top frame to the facebook URL.  I can not seem to get past all the security problems that involve = and I have no clue on what to do.  I tried using the code RedirectTopFrame from the FDT which redirects to the login page, but that actually makes my page "break" out of the facebook chrome leaving the user with a page outside of facebook.

I've also noticed that if I open up a session in IE and a session in FF, the xFBML does not seem to work anymore.  

Basically, I'm in an iframe within another iframe, is there a special way to call all my links?  I was currently using the other solution by sending parameters to all the links....

currently i'm loading my embedded iframe as follows (iframename.location.src = "../game/whatever?facebooksessionkey_and_other_parameters_appended").  


It seems i'm all over the place with this reply.  There are 2 things i'm curious about.  1 ) it seems that my session can get out of whack by using two different browsers at the same time.  xFBML also gets out of whack.  Is there any way to detect and fix this? how about with more FBJS or other FB calls.

2)  Every once in a while, I get an exception from whereever (doesn't matter) and I want to write a catch all, which redirects my top frame and allows for the facebook session to reload.  Ive been trying a lot of javascript and have been unsuccessful.  Is this even possible?  Remember I'm in an embedded iframe within the facebook canvas.  I've tried the RedirectTopFrame, but that breaks me out of the facebook chrome.  

Thanks for the info...