function saveSignedRequest() { $signed_request = $_POST['signed_request']; $secret = Config::get_mandatory('fb_secret'); list($encoded_sig, $payload) = explode('.', $signed_request, 2); // decode the data $sig = Fb::base64_url_decode($encoded_sig); $data = json_decode(Fb::base64_url_decode($payload), true); if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') { error_log('Unknown algorithm. Expected HMAC-SHA256'); return null; } // check sig $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true); if ($sig !== $expected_sig) { error_log('Bad Signed JSON signature!'); return null; } // save to session, so we have it throughout app $_SESSION['signed_request'] = $data; return $data; }