Im using the javascript SDK of facebook in the frontend:
jQuery("#pct_fbbutton").live("click",function(){
FB.getLoginStatus(function(response) {
if (response.status === 'connected') {
console.log('Conected');
FB.api('/me/likes', function(response) { user_likes = response;
FB.api('/me', function(response) { user = response;
send_server(user, user_likes);
});
});
} else if (response.status === 'not_authorized') {
console.log('not_authorized');
login();
} else {
console.log('not_logged_in');
login();
}
});
});
As you can see, after the user is login with facebook ill send two objects via AJAX to a php script (using the function send_server).
I can access in the backend the currently generated token with $facebook->getAccessToken(), but as I know this is retrived from a cookie made by the javasript sdk, considering that all frontend data can be hacked, using the token how can ensure that the user data is valid on php?