I need the _fbc value but not from the cookie, so I need a way to convert the fbclid to the _fbc value and store it somewhere else to trigger the API conversion, but due to the coming changes to iOS I can no longer rely on the cookie so what is fbclid using to encrypt to the _fbc?
I've been trying to research on how to get the value but I have not found anything yet.
According to the Facebook dev docs: https://developers.facebook.com/docs/marketing-api/conversions-api/parameters/fbp-and-fbc
If you don't have the pixel installed or the _fbc cookie isn't available, then the fbc value is a combination of the version, subdomain index, the UNIX timestamp in milliseconds, and the fbclid value:
fb.1.timestamp.fbclid-value
Related
In March of 2018 Facebook began requiring "Strict Mode" for redirect URIs. This means any redirect URI needs to be known in advance, and added to your app's profile (Valid OAuth Redirect URIs). The problem is when the redirect URI contains a dynamic parameter, like a state variable, guid, or user id, etc.
The answer I have found on many websites is that you can hold dynamic state in a "state" parameter. So if your allowed redirect uri is "www.example.com/signin" then this will also allow "www.example.com/signin?state=12344". However, this seems to be no longer allowed. The state parameter no longer seems to be ignored by this strict rule - it fails validation (there is a valid url checker on your facebook app settings page). To test this, I simply put "a.com" in the allow uri field, and "a.com?state=x" in the Redirect URI Validator, and it fails. Without the ?state-x it succeeds. What am I missing?
So I have two questions:
1) First, how to I find out what redirect url my app is actually sending to FB? I can't sniff my traffic since it's https (also required now by fb). I think I know what it is (https://www.example.com/signin-facebook?state=xxxxxx) but I can't be sure and there is no way to verify. The logic that calls FB is wrapped up in the MS Identity library.
2) Second, if it's the state parameter that is causing my login fails, is there any way to disable that in my ASP.NET Core app, or allow it in FB?
Just to clarify, here are two images showing that without the state parameter, the url is valid, but adding the state parameter makes it an invalid URL. Clearly the 'state' parameter is not being ignored by this strict rule checker, as many people have claimed. If I add the state param url to the list of allowed urls, it works but only with that exact state value, not with any different value.
The state parameter is dynamic to begin with (or at least it should be, because its original purpose is CSRF protection), so it is not taken into account when the URL is checked for a “strict” match to the one you have configured.
If you want to use
https://www.example.com/signin-facebook?state=xxxxxx
then configure
https://www.example.com/signin-facebook
as your Valid OAuth Redirect URI.
If you have other (static!) parameters besides the dynamic state, then those must be input into the field as well. You want to use
https://www.example.com/signin-facebook?action=foobar&state=xxxxxx
then the URL in your settings needs to be
https://www.example.com/signin-facebook?action=foobar
And since, as mentioned, the original purpose of this parameter is CSRF protection, it might still be a good idea to add a “random“ component to it, if the actual value you are trying to transport via it is “guessable”, or from a limited range of pre-defined values only.
In that case, I would probably go with an encoded JSON object as the parameter value -
state={"mystate":"foobar","random":8473628}
(Don’t forget to apply proper URL encoding, if your system doesn’t do that automatically.)
I am trying to get the id from the public-profile-url. The query looks like:
https://api.linkedin.com/v1/people/url={https://www.linkedin.com/in/name}
However, what I get get back from linkedin is:
<error>
<status>400</status>
<timestamp>1460131755319</timestamp>
<request-id>2OV9FJ0DTR</request-id>
<error-code>0</error-code>
<message>[invalid.param.url]. Public profile URL is not correct,
{url=}; should be {https://www.linkedin.com/pub/[member-name/]x/y/z} or
{https://www.linkedin.com/in/string}</message>
The interesting part is:
Public profile URL is not correct, {url=}; should be {https://www.linkedin.com/pub/[member-name/]x/y/z} or {https://www.linkedin.com/in/string}
The url clearly adheres to the rules that they mention and the url works. Any idea on how to fix it?
You cannot reliably retrieve a member ID from a profile URL. id values that you can rely on are returned as part of Profile API calls. From time to time, LinkedIn changes the format of it's public profile URLs, so attempting to parse them or reconstruct them can leave your app in a broken state. The public-profile-url field should be considered read-only, and not something you try and parse or create yourself.
e.g.: GET https://api.linkedin.com/v1/people/~:(id,first-name,last-name,public-profile-url)?format=json
id values are encoded to specific LinkedIn applications and cannot be re-used between apps. As a result, any value you attempt to pull out of a URL won't be of any use to you. The information needs to be acquired via an API call.
I am using the PHP SDK getLoginUrl() function which works perfectly to log the user in. Once the user is redirected back to my page, the URL can come in two forms, see in the following link subsection 3: http://developers.facebook.com/docs/authentication/server-side/
Part of the return URL is a ?state= value. This value is supposed to be used to prevent Cross Site Request Forgery: http://developers.facebook.com/docs/reference/dialogs/oauth/
Though, using the getLoginUrl() method I can never set a state value as it is not one of the parameters: http://developers.facebook.com/docs/reference/php/facebook-getLoginUrl/
So how can I utilize the state-value to log a user into facebook and prevent CSRF?
So how can I utilize the state-value to log a user into facebook and prevent CSRF?
This is being automatically handled by the Facebook PHP SDK. If you were about to write your own API calls to Facebook, you would need to submit the state manually (if desired) as per Facebook's OAuth documentation.
When you create a login url with BaseFacebook::getLoginUrl(), the first thing the function does is to establish CSRF token state1, which creates a hash using PHP's core mt_rand(), uniqid() and md5() functions and also stores the value as a session variable.
When the user gets redirected back to your page the, FBSDK checks if the submitted state matches the state value in the session. If the values indeed match, the state is cleared from the Facebook object and from the session, so all subsequent getLoginUrl() requests would get a new state variable.2
Theoretically you could use your own state value with FBSDK by writing it to fb_<your_app_id>_state session variable before constructing the Facebook-object, as the BaseFacebook's constructor and establishCSRFTokenState() both check if the state already exists in the session.
But that would probably introduce more complexity than is necessary.
see BaseFacebook::establishCSRFTokenState()
see BaseFacebook::getCode()
I use Zend_Session::rememberMe(60*60*24*90); to make the session of a logged-in user to last for 90 days.
I've read the Zend_Session documentation but didn't find any method to check that this expiration is actually set somewhere.
I cannot check the browser cookie, at least directly, as the webpage is embedded within an Adobe Air widget.
If you just want it for debugging purpose use:
var_dump($_SESSION['__ZF']);
you can see all of the values stored in zend session including rememberme 's expiration.
to connect to an app on facebook, the user types in
www.facebook.com/login.php?api=12312312323123123
how can I add an extra get var to this url and pass it to my script on successful login?
Do you add a redirect_url as part of the login call?
If so you can add the GET parameter to that. For instance let us say you are asking Facebook to redirect to http://tld/fbhandler after user logs in. You can change that to http://tld/fbhandler?extra=value.
This URL is specified at the time of making the (OAuth) login call to Facebook and therefore you can change the value as you see fit.
You cannot do this. Facebook will strip custom query values from the url. I have found that there are two ways to do this. The first is that they will let you have a single query value at the end of the url if you encode the ? to %3F. For example:
redirect_url=http://www.example.com%3FmyextraParameter
You could use this approach to do something like base64url encode your values and add them at the end.
The other thing that I have done is to change the parameters to be path variables
redirect_url=http://www.example.com/realUrl/parameter1/parameter2
Neither are great solutions, but I have yet to find a way to send querystring values without them being stripped off.