Unity Facebook SDK cookies/sessions

Sorry if this is not the right section to post this in. Has anyone used the Facebook Unity SDK? I am trying to figure out how to verify a users identity on the server side. I see that there is a checkbox “Cookies” under the FB.Init settings, but I don’t see any documentation on how to access that cookie or verify it on the server side.

Right now I can authenticate the user using the SDK, but when it comes down to sending my WWW data over to the server, I have no way of verifying the user that is sending the data is actually the same user that logged in. The only thing I can currently send over to verify is the AccessToken, but that doesn’t change that often that if someone obtained another users Access Token they can just do a POST and update the users data. I could refresh the Access Token then just check on the server side when was the last time it was refreshed, but I don’t really want to keep refreshing the users token.

Everything in the FB graph api / Unity FB API - surrounds the access token and that is what you use to authenticate users in the game/client and on hte server as well if your server needs to communicate with facebook on the users behalf.

The way we used to verify accesstoken’s was to download the users image and another piece of information from their account on the server side. just to make sure that its not some random accesstoken , then we would check if the account matched up with the given name of the user as the user was first created.

Facebook is pretty secure and the access tokens expire after 60 days if i remember correctly - as long as you dont send the accesstokens unencrypted through a non ssl connection and you don’t store them on the server it’s pretty safe, if you store them on the server it’s okay as well - Also make sure that the application doesn’t ask for permissions that you’re not using, since that will just expose the system to more potential security issues.

IMO. You cannot make it 100% secure and also, who cares enough about your game to try and do a man in the middle attach on your game and server between a client and their secret access token ? ( That’s a lot of effort for very little information and you’re limited to the permisions granted by the configuration of the app in the facebook developer console. I wouldn’t worry too much about this. )

Cheers!