I am using the Facebook PHP SDK in a server-side API which is used by several mobile apps (iOS & Android) and a website to read/write data to the database.
I cannot see any reason why the web version will not work because the sessions set by Facebook can be read from the browser via the SDK.
So if I am using:
$facebook = new Facebook(array(
'appId' => 'xx',
'secret' => 'xx',
));
// Get User ID
$user_id = $facebook->getUser();
And the $user_id
is set, then I can get the user information for the logged in user. This means that when I am saving, updating or getting records from the database they are guaranteed to only be for the logged in user and cannot be spoofed.
How to securely communicate from mobile web app to server using Facebook PHP SDK
So, how would this be replicated for a mobile application? How can the mobile application use the API and prove that the Facebook ID it wants to modify is logged in and authorised on Facebook?