I just want to ask a question about Facebook "signed_request" thing.
I'm using Zend Framework for my app. The thing is; when user first authorizes my app OR enters the app from apps.facebook.com/my_app/ URL, I'm successfully retrieving signed_request.
Actually, I'm retrieving it from apps.facebook.com/my_app/index.php (Thanks to this question)
OK, app has been started, I received signed request, stored it in user session. However, when user clicks anywhere in my app, $facebook object is created again but this time, it has no signed_request.
According to this topic on Codeplex, I can expect that signed_request will come in this second request of user:
Instead of using the cookie you should use the signed request value that Facebook POSTS to your page on each request.
On the other hand, Facebook documentation says:
A signed_request is passed to Apps on Facebook.com when they are loaded into the Facebook environment
Now, does Facebook sends this request on each call or is there a technical problem on my app? Could it be an IFrame issue? When user click "categories", page is loading in same iframe and URL on address bar does not change.
I think it's basically a difference of definition on what "each request" means. Facebook will POST signed_request to your page only when the containing iframe is first constructed, i.e. when the user goes directly to apps.facebook.com/your_app/somepage.php as their browser location. If the user then follows a "normal" link on your page that results in only a reload of the iframe and not the entire page, no signed_request will be sent. If it helps to think of it this way, signed_request is sent when the user first loads your app, but not on each subsequent request. The reason there is some confusion about this is that many coders have taken a hackish shortcut by making all their links use target=_top
and pointing them at apps.facebook.com/your_app/yourpage.php rather than www.yourdomain.com/yourpage.php. Since that results in the entire page being re-constructed each time, it does indeed have the effect of sending signed_request with each page fetch. But in normal (and recommended) operation, you'll need to count on signed_request only being sent once.