using facebook auth for flash game with a php backend

0
votes

I am creating a flash game, and I would like the users to be able to log on using Facebook. So far I have used the facebook-actionscript API to successfully create a .swf file that allows users to 'log in' to my flash game. From here, I have access to their information such as their Facebook ID and name.

My suggested approach from here (which may be rather naive) was to use the Facebook ID as a unique identifier for a user. I would then include this id when making calls to the php back-end.

For example, if a user wanted to retrieve their list of items. I would send a 'get items' request to php containing their Facebook id. In my database, I would store the Facebook ID of each user and thus would be able to return the right items.

I was just wondering if there was a different/better approach to this sort of thing. I assume I would need some form of encryption if I were to go ahead with my plan. Can anyone advise on this?

2
phpfacebookactionscript-3
Sounds like a pretty normal approach if you ask me. What do you wan't to encrypt? - Jonathan
I'm not sure on this, but couldn't someone sniff a packet, copy it's structure and submit bogus requests. - Alan Albus

2 Answers

0
votes

Using the User ID is ok to go ahead with but Facebook would rather you covert the User ID to something that isn't directly identifiable to a facebook User. You would have to use a function to map the User ID to your internal User ID.

Simple function: md5( $user_id );

0
votes

As an answer to your comment

Packet sniffing and sending fake packets can always be done in games whether its a webserver backend with facebook, socket server without facebook etc. I'm no expert but I think what games usually do is somehow find out if that request is real. Serverside cheat detection basically.

As an extra protection you could also bind a id to each request that you encrypt with a secret key and when the server receives it checks whether its new or not. This way hackers can't resend fake packets. But this can reverse engineered of course.

There's probably books about this, I'm just kind of guessing what you could do.