Option 1: The easiest way I can think of is to include the accessToken in JS and pass it with the ajax call.

Option 2: Using the same as option 1, but instead of sending just the accessToken, send the signedRequest.

在服务器一侧,您可以使用 (TryParse Trasser Signer Request 方法) 来解码它, 这将为您提供 UserID :-)

注意: 符号请求 用程序秘密加密 。 < strong > you是唯一应该知道的人, 所以您在那个端上是安全的 。

免责声明:

我没有在C#的编码经验, 但小小的搜索谷歌给了我这个:

"http://csharpsdk.org/docs/web/"rel="nofollow">脸书C#SDK为 ASP.NET

进行AJAX请求

When the user loads you app use the server side authentication, get the access token and load the user data by issuing an api request from the server.
On the server side you ll have everything you need and it s sandboxed.

When the page renders for the user, using the js sdk get the user authentication data, you should be able to use FB.getLoginStatus since the user already went through the server side authentication.
Now on the client side you also have an access token which you can use to get the user data from the graph api.

The two tokens will be different, and will also have different expiration, but that should not be a problem, both token should work properly as you d expect them to.
Since both sides have their own token and a way to make requests to the api, there s no need to send any fb data between them.

所以,你说的第三种选择,对我来说, 听起来是最好的, 并且它真的很简单 实施这一点。

Edit

All facebook SDKs are just wrappers for http request since the entire fb api is made on http requests.
The SDKs just give you easy and shorter access to the data with out the need to build the url yourself (with all the different possible parameters), make the request and parse the response.

To be completely honest, I think that stop providing a way for the C# SDK to support server side authentication is a very bad decision.
What s the point in providing a SDK which does not implement the entire api?

The best answer to your question, from my experience, is to use both server and client side authentication, and since the C# SDK does not support it, my advice to you is to create your own SDK.
It s not complicated at all, I already implemented it for python and java (twice), and since you ll be developing it for your own needs it can be tailored for your exact needs, unlike a public SDK which should support all possible options.

2nd Edit

不需要创建全新的 SDK, 您可以只“ 扩展” 您正在使用的内容, 并添加您需要的缺失部分, 比如断开侧侧认证支持 。

我不知道它是否具体针对语言,但使用服务器和客户端认证并无害。

你可以研究选择2,但是是的,那也很容易被欺骗。

选择方案3,你将有一个用户会话的单一存取标记, 所以我认为这是最好的选择, 因为在从客户方面传递用户信息时, 你总是有机会骗取用户信息。

我最近也有同样的问题。 选择2, 请查< a href="https:// developmenters.facebook. com/blog/post/534/" rel="nofollow",

说实话,我不够黑客知道 你能否在饼干里打出UID, 但是这似乎是一种正式的方式。

EDIT:关于选项2下的另一个问题,是的,我认为你必须 访问你域上的这个饼干。