Facebook multiplayer canvas game with Flash Client and .NET Server Side

2
votes

I'm developing multiplayer Facebook game in canvas, with Flash client side and C#/.NET at server side. Communication is using Sockets. Flash is loaded inside asp.net page.

I want some best practices from experienced developers about Facebook integration, mainly in Authentication module.

I have come up with these scenarios:

  1. Flash SDK for facebook (which externally calls JavaScript methods) to authenticate user at startup and other calls.
  2. ASP.NET server side authentication at loading app(maybe with Javascript SDK). And then with "Game Server"(to which flash is communicating with sockets) using no JavaScript SDK with direct call's to FB api.

Which method is better and why? I think there will be security issues too :|

EDIT I added some details:

It's simple multiplayer game for 4 players. First I'm going to check signed_request posted by facebook canvas in C#'s aspx.cs code, get facebook provided UserId and pass it to flash client, after this flash client connects to server with sockets and sends UserId, than I need to "reAuthenticate" this UserId and check if it was id I firstly got using signed_request(this step is where I'm stuck and need help). after that I think it would be allright

1
c#asp.netfacebookflashfacebook-graph-api

1 Answers

4
votes

It depends on the type of app/game and what you're protecting by the user authentication.

If it's protecting anything that's on the server, then you can't just rely on the flash client to authenticate the user. Remember that an attacker can just skip your flash client, or modify it, to achieve their goal.

In general you want to do the facebook authentication at a time that makes sense for the game, and when it's sent to the server it validates and issues your own authentication token you can check without hitting any external sources.