In your facebookconnect example, you require that the App Secret key be passed from the web to server, where it's hashed along with other info to compare against the sig given by facebook.

Can you clarify that the "secret" variable is indeed the App Secret value? I don't think that should be made public?

The value that is passed from the client to the ES5 is not the same app secret that we never share with anybody. It's a different secret. ;)

Clarification: read the Facebook tutorial. (http://www.electrotank.com/docs/es5/manual/facebook_connect.htm) The "app secret" goes in your Extension.xml file, which will only be seen by those who have access to the hard drive of your ES5's server. You put your "app id" in the client. There's something that is called "secret" that is part of the session, but it's something that is not the same as your app secret and if memory serves it is different each time that a user logs in, probably some kind of session secret. It's been a couple of months so I might be misremembering. In any case Facebook says that they will be changing their api again in July, so we may need to scramble to figure out a new way to verify the session, because the ES5 can't use the PHP api that Facebook assumes everybody uses.

The various parts of the session key are sent to the ES5, which combines them in the right order with the "app secret" which the client won't know, and hashes them, then compares it to the sig from the client. If it matches, then it's a legit login.

but you have both "session_key" and "secret" in the list of variables expected from the client. I'm unable to find any documentation on what "secret" could possibly be from facebook nor your documentation? The example is magically getting it from facebook's code, there's no obvious indication or explanation as to what it is. Do you happen to remember which part of the session key is the "secret" that ES5 is looking for? Also is session_key that ES5 is getting a truncated version of the session_key string returned by facebook?

we want to implement facebook validation into our game, which is a facebook app, but we're using php and not javascript - we already have the session_key string from the user's facebook login, just need to figure out how to parse it into the components needed to validate it according to your example

ok after alot of googling I finally found what I was looking for. 2.{secret}.3600.{expires_at_seconds_after_epoch}-{user_id}

If you are using the Facebook PHP api, then you could have your custom PHP code create your own key that you could hash with something for this session, and send the something and your own hashed version of it that the ES5 could then verify. Right?

Thanks, we wound up creating our own hash, a SHA1 of FBID+EXPIRETIME. In the future we plan to change that to an base64-encoded AES encrypted string containing the FBID and EXPIRE for validation. But for now we're good with the sha1 hash.