Currently I have no working sample. :)
no signed_request: without facebook login
redirect to facebook or app page.
with signed_request: logon user
- no user_id & oauth_token: unauthorized. permission dialog needed.
- top.location.href=https://graph.facebook.com/oauth/authorize?client_id=XXX&redirect_uri=YYY&signed_request=ZZZ
see also **http://www.phpfour.com/blog/2010/05/quick-start-on-new-facebook-php-sdk-iframe-based/
- with user_id & oauth_token: authorized
oauth token expired
make reload parent page to get new signed_request.
oauth token ok
- signed_request not from cookie: first access (today).
- set cookie signed_request with P3P header.
<Cross Domain Cookie Things
signed_request from cookie:
- but actually user ready logout: first Graph API call can verify it.
- finally arrived.
Solutions for cross domain cookie things:
- append signed_request it every GET/POST/Ajax
- require every anchor(a tag) need signed_request as argument
- require every form need middleware need signed_request as hidden input
so, make middleware with heavy regular expression~
require every ajax request need signed_request.
redirect to make cookie
- modern browser except safari will send cookie at 2nd request.
so its safe with signed_request from GET.
safari doesnt. next request will miss signed_request OMG.
- just redirect to cross-domain-helper.html
- auto submit with POST. (GET will work?)
- redirect to original page.
- done.
% every view should have p3p & set-cookie header.