[Facebooker-talk] Fwd: [rfacebook] Re: How exactly are session cookies supposed to work? Will ensure_authenticated use them?

Aaron Nemoyten swivelmaster at yahoo.com
Thu Jan 29 14:20:55 EST 2009 

Check out Safari cookie preferences and you'll see that the default option is Accept Cookies:  Only from sites you navigate to.
In Firefox the default equivalent is Accept Third Party Cookies.

If an iFrame is in a different domain from the top site, cookies will not be accepted if these options are turned off.  

Facebook itself will work just fine, but any iframe content from a different domain will have no cookie access.  

I may have come up with a solution for my current issues that just ignores cookies all together.  Sadly, this may be the only choice if I want complete reliability.



----- Original Message ----
From: kevin lochner <klochner at gmail.com>
To: Aaron Nemoyten <swivelmaster at yahoo.com>
Cc: facebooker-talk at rubyforge.org
Sent: Thursday, January 29, 2009 11:02:42 AM
Subject: Re: [Facebooker-talk] Fwd: [rfacebook] Re: How exactly are session cookies supposed to work? Will ensure_authenticated use them?

The only case where this is an issue is if they've granted cookie access on
a site-by-site basis, since you can't use facebook without allowing cookies
(or at least that has been my experience).

I don't think this should be a priority, since your typical facebook user will
just allow cookies globally.

On Jan 28, 2009, at 6:33 PM, Aaron Nemoyten wrote:

> 
> WARNING:  HORRIBLE HACK STARTS HERE!
> 
> The best fix I can come up with right now is to remove auth_token from the redirect to top, which will cause a redirect BACK to apps.facebook.com/appname, which will pass in fb_sig params but fail to create the cookie, so the javascript will redirect to top once again, but with fb_sig params in the url, which will create the session correctly with cookies allowed by all browsers, and redirect back into the frame.
> 
> So now the question is...  what if javascript isn't allowed to read the cookie in the first place.  Then maybe I have to have Flash ping the server (cookies are automatically sent with Flash requests) and let the server tell Flash if the cookie is correct, and then Flash can call ExternalInterface and force the reload.
> 
> ...this is all to get around restrictive browser cookie settings.  The alternative is to just ask users to change their cookie settings and reload, but that seems like it would have a lower success rate.
> 
> -Aaron
> 
> 
> 
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk

More information about the Facebooker-talk mailing list