Home > Articles > Web Development

  • Print
  • + Share This
Like this article? We recommend

Like this article? We recommend

Using the Facebook User ID

Using the Facebook User ID

Another bit of information that's readily available after login is the Facebook user ID. It's stored in a session cookie for your website, so the server scripts can use it immediately after the user has logged in. The cookies set by the Facebook JavaScript library use your API key as the prefix, to ensure that they're unique for each application. For example, after logging into my sample application, the Facebook library set the cookies shown in Figure 3 for my website. Notice that all of them use the API key as the prefix.

The APIKEY_user cookie contains the Facebook user ID and can be used directly by the server scripts to identify the user. As the cookie passes through the user's browser, it's quite easy to change its value and impersonate another user. To prevent such spoofing attacks, Facebook generates an MD5 hash of the cookie parameters and the secret application key (which is the shared secret between you and Facebook) that you can use to verify that the user has not tampered with the cookie data.

The APIKEY_session_key cookie value can also be used by your web server to make direct Facebook API requests; for example, extracting the user's name and surname. Alternatively, this information can be gained through the JavaScript Facebook API, but the JavaScript-derived information can never be fully trusted, so you shouldn't use it in environments where privacy or security is important.

  • + Share This
  • 🔖 Save To Your Account