I am planning to use Facebook registration to allow people to use their Facebook credentials to register/login to my site.
The details can be seen here: http://developers.facebook.com/docs/plugins/registration/
The documentation says that when a user logs in to Facebook, Facebook will fire an onLogin event and I can use this event to login the user to my site.
My question is, if I tell my开发者_如何学运维 website to login the user when the event is fired, isn't it easy for an attacker to login as any user by just spoofing my javascript call ?
What is the general best practice to do in this case? Or is this thing inherently not secure?
(Or is there any other service I should be using for login/registration rather than the Facebook registration plugin)?
The event is very spoofable, but after you get that ping, to actually log someone in, you should use the JS SDK FB.login() which does a call to facebook to validate the current user's cookies which then returns you their UID and access_token.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论