can facebook's $_REQUEST[ “signed_request” ] be faked

[dsdsdsdsd]

I have my_app which is intended to be accessed only as a facebook canvas app, and I am looking for a solid test which my_app will perform during the loading phase to verify whether it or isn't being loaded into a facebook iframe.

 

So one approach I am looking at is to check the $_REQUEST array. In a legitimate facebook iframe, the $_REQUEST[ "signed_request" ] is readable. But I would like to know if somehow another webpage could attempt to load my_app and send a fake 'signed_request'.

 

- thanks, Shannon

[dsdsdsdsd]

I guess another way of asking this question is:

 

If I load somebodys_url into an iframe on my_page, can I inject values into the $_REQUEST array that accompanies that request for their page?

 

please see my first post for the explanation of why I want to know this.

Edited February 4, 2013 by dsdsdsdsd

[Christian F.]

Well.. Yes. All the $_REQUEST is data sent to your server by the client, a collection of the data in $_POST, $_GET and $_COOKIE. So if this token is a static token for your application, then it would be trivial to send it from another site too.

However, if it's randomly generated for each FB user, and confirmed against a token from the Facebook-user object in your code, then it'll be a bit trickier. It all depends upon how Facebook has set this up.

[dsdsdsdsd]

Christian, thanks for responding;

 

your response is helpful.

 

I am trying to create the scenario, so I made 2 php files, iframe__parent.php and iframe__child.php

 

// iframe__parent.php
<?php   $_REQUEST[ "signed_request" ] = "blah" ; ?>
...  
<iframe src   = "iframe__child.php"> </iframe> 
...

 

// iframe__child.php
<?php  print_( isset( $_REQUEST[ "signed_request" ] )  ) ; ?>
// ..... returns false

 

 

so although I understand that it is possible (otherwise how would facebook do it, right?), but how?

 

thanks for your time,

Shannon

[Christian F.]

Setting the $_REQUEST value in the parent script doesn't do anything, as that is simply dropped as soon as the script finishes parsing. Something it does before the client requests the page linked to in the iframe.

To send the desired value to the child page, you need to add it to the URL of the iframe source. That way it will become a GET parameter, which is included in the $_REQUEST array.

 

Remember: Every single instance of a PHP script is completely separate from any other instances, and unless you send the data specifically to each instance it will not exist.

[dsdsdsdsd]

aha of course ... and it worked as you said ... thanks!

 

I have since learned that facebook apps have a app_secret that is intended to be secret, and that that is included in the $_REQUEST sent with the child_index.php ... I suppose that child_index.php will check for that ... getting ready to test it.

 

thanks for your answer!

[Christian F.]

You're welcome, glad I could help.