Facebook Tweaks Connect Login Flow to Improve Security
Facebook has just announced an update to its Connect login flow that makes the Connect login experience more consistent and should improve security.
Until now, users who login to a Connect-enabled site when already logged in to Facebook have seen an iframe “light box” within the browser window. Beginning now, a dialog will pop up in a separate browser window. That popup window will have its own address bar — this matches the login flow when the user is not already logged in to Facebook, and is generally more secure. By including the address bar, which displays a URL, users can see more clearly that they’re interacting with Facebook.
If the user’s browser has blocked popups, Facebook will instead display the following dialog, which will take the user to log in at Facebook.com, and then back to your site afterward.
How will developers need to change their Connect implementations? According to Facebook’s Naitik Shah:
If you’re using the XFBML fb:login-button tag to render the dialog, you won’t need to change anything. Depending upon how you initiate the login flow, your users may experience the process differently; however, this is not a breaking change.
If you trigger the login flow using JavaScript, you can only trigger the Connect dialog to pop up by way of a user-initiated event, which lets you circumvent popup blockers
October 6th, 2009 at 5:17 am
Well, this breaks a whole lot of existing code. For example, the lightbox approach was necessary to circumvent Safari’s security policy of preventing cookies from being dropped from sites a user hasn’t explicitly visited when calling your connect site via an iFrame. As a work around, we trigger a pop-up from the target domain with a lightbox login form within. Not quite sure how we are going to be able to handle this now…