I am integrating Facebook login into an iOS app. The app relies on an API written in PHP, and it is currently using it for the default login process (email and password). I have successfully added the Facebook SDK and used it to retrieve the user's data from Facebook, but I am stuck on this security issue: if I trust the data coming from the app to be genuine Facebook user data, someone could start sending the API endpoint some Ajax calls and, in the best case scenario, clutter my database with bogus users (since I am adding new users through the Facebook login process).
I am considering the following solution: get the user's data from iOS to use locally, and send to the server nothing but the user's Facebook ID. Since both SDKs should, supposedly, store data in a cookie, I should be able to retrieve the currently logged in User data from the server and check the user ID against the one that came from the app. If everything matches, I can use whatever data I've retrieved server side to add a new user to the db (or simply log him in), and the same data should be present client side.
The problem is that, server side, I always get 0 from the $facebook->getUser() method call. I am probably missing something. Thoughts?
PS > A similar problem happens when I use the Javascript SDK with the same PHP Api, but only if the Javascript App is running on a local machine. If it's running on my staging server, everything works fine. EDIT: This has to do with domain names.
EDIT 2: I didn't put any code, but you can assume the simplest possible example:
$fb = new Facebook(array(
"addId" => "myAppId",
"secret" => "myAppSecret",
"cookie" => true
));
$user = $fb->getUser(); // Returns 0