如果用户在Facebook外查看,我如何强制重定向回Facebook页面选项卡?

时间:2011-11-17 14:40:57

标签: facebook opengraph

我的页面标签有问题 - 我收到了Facebook通知,有人在我的页面标签上的评论框中发表了评论,StackOverflow点击了该链接,我被直接带到了我网站上的页面:

这是带我去的网址:

http://sehabitat.com/Facebook/index.PHP?Facebook_comment_id=Facebookc_10150365133961604_19446706_10150373950271604&ref=notif&notif_t=open_graph_comment#f27DB40044

如何修复此问题,StackOverflow用户在其Facebook通知中点击的网址将改为:http://www.Facebook.com/SEHabitat?sk=app_175821802509443

4 个答案:

答案 0 :(得分:2)

如果用户正在直接查看该页面,您将看到GET请求。

如果他们通过Facebook查看标签页,您的页面将会加载一个POST(带有一些参数"用Facebook签名"使用您的应用程序密码,但欺骗此重定向可能不是&#39 ;安全问题,所以你不必关心它。)

答案 1 :(得分:1)

您可以检查用户从何处重定向,如果他没有从Facebook标签重定向(如果我没记错的话,以static.facebook开头的url)您将其重定向到该页面。像这样的东西:

  $ref=$_SERVER['HTTP_REFERER'];
  if ($ref != "static.facebook...") {
      Header ('Location: http://www.facebook.com/SEHabitat?sk=app_175821802509443');
  }

答案 2 :(得分:0)

Daniel Tsyganok的答案是服务器端解决方案,并且良好且防篡改。

但是,如果你的代理人背后有剥离HTTP referer字段的人,那么使用JavaScript的安全性较低。

<script type="text/javascript">
    if (self==top)
        location = "//www.facebook.com/SEHabitat?sk=app_175821802509443";
</script>

答案 3 :(得分:0)

我使用服务器和客户端脚本的混合来实现您的要求。假设php是您的服务器端语言,大多数情况下都应该使用以下内容:

<?php
$app_id = "<your app id>";
$page_url = "<your page url>";
// if your app requires extended permissions
$app_scope = "user_interests,publish_actions,publish_stream"; //etc.

// depending on your requirement you may use the oauth authentication
// or you may simply redirect to your page url instead
$auth_url = "https://www.facebook.com/dialog/oauth?client_id=" 
        . $app_id . "&redirect_uri=" . urlencode($page_url)
        . "&scope=" . $app_scope;

// this is passed only when your page is pulled by facebook
if (!isset($_REQUEST["signed_request"])) {
    // we are sure that the page is not accessed within facebook
    // so we may redirect
    header ('Location: ' . $auth_url); // or $page_url
    die();
}

$signed_request = $_REQUEST["signed_request"];

list($encoded_sig, $payload) = explode('.', $signed_request, 2); 

$data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);

// we can check this and redirect later
$user_id = $data["user_id"];

// other details are also avialable
$user = $data["user"];
$algorithm = $data["algorithm"];
$issued_at = $data["issued_at"];
$oauth_token = $data["oauth_token"];
$expires = $data["expires"];

// passed only when the app is loaded inside a page tab
// can be checked for and if empty we can redirect
$app_data = $data["app_data"];

// signed_request algorithm's signature verification
// is omitted here for simplicity sake. you may perform
// that to ensure the authenticity of the request

// other initial setups
?>

现在,您可以将以下脚本放在页面上的 <head> </head> 标记内:

<script type="text/javascript">
    <?php if (empty($user_id)): // or as may the need be, you may want to check $app_data instead ?>
        top.location.href="<?php echo $auth_url; // or you may want to use $page_url instead ?>";
</script>
相关问题
最新问题