Using the facebook access token with offline_access and javascript


I have an application that has the offline_access permission, and I obtain the access token via the php sdk and store the access token in my database.

This application works through a website that interacts with facebook, but we do not require the user to be logged in to facebook while using our site. That is, to log in and use our site it is not required to be logged in to facebook. This is the reason we use the offline_access permission.

Now, the question is: how do I use the access token in javascript?

The obvious solution, which is to insert the access token in the web page via a php echo, would be insecure because we currently do not serve pages over https and thus the token travels in plain text. Moreover, if some user left his computer unattended, an attacker could use it and obtain the token by just looking into the site source.

Is there an easy way to securely use this access token? Or am I missing something?

The only way to securely use the access token with your JavaScript would be to do AJAX requests to PHP scripts. You never, ever want to have that token floating around in browser-land.