Facebook signed_request and SSL/HTTPS being received

Getting into more PHP Facebook application development over the last year, I have been developing apps that request information from a Facebook user as they view the page. The information is obtained via the $_REQUEST[‘signed_request’] . The canvas/tab URL that you define within the Facebook app setting is where the signed_request will become available.

I’ve come across requirements where I’ve had to tighten security around registration forms within Facebook. This meant ensuring that all user entry forms are served on a SSL/HTTPS connection.

To enforce this, I normally set the following rules within the .htaccess file to force the connection to HTTPS:

RewriteCond %{HTTPS} off

RewriteCond %{HTTP_HOST} ^yoursiteurl.com$ [NC]

RewriteRule ^(.*)$ http://secure.yoursiteurl.com/$1 [R,L]

 

However after applying this rule, the signed_request was no longer sent to my app.

After a bit of investigation, the reason why this was occurring was because the page was being redirected from a standard HTTP connection to a secure HTTPs connection. When the page is reloaded via the app, it loses the signed_request. Therefore this was not an ideal solution.

Should your application need signed_request access on both secure/non-secure versions, ensure that you correctly define your secure and non-secure URLs correctly in your Facebook app settings, then add the following PHP code to your web application to echo out  a Javascript redirect:

$appId = “01234567890”;
$pageName = ‘yourfacebookPageName’;

$protocol = ( isset( $_SERVER[‘HTTPS’] ) && $_SERVER[‘HTTPS’] ) == ‘on’ ? ‘https://’ : ‘http://’;
$tabUrl = “www.facebook.com/” . $pageName . “?sk=app_” . $appId;

/* If HTTP, redirect to HTTPS */
if ( $protocol == ‘http://’ ) {
echo(“”);
}

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.