Notes for Facebook Flash-Apps
some links to read and learn….
…Unfortunately you’ll need to proxy your requests through the domain on which your SWF is hosted, as it is the only trusted domain by default and Facebook’s crossdomain policy file obviously isn’t going to change to accommodate your server.
However I made a strange combination which seems secure to me:
1. I did whats written below in here (http://wiki.developers.facebook.com/index.php/Fb:swf; To verify that your Flash object was loaded from a Facebook page, do the following. For security, this technique does not embed your secret key in your Flash app: ) to verify that the user is from facebook (md5ing all the parameters in one string and the secret key against fb_sig).
2. Additionally I use Volunds method ($token=md5(’secretstring‘.$userid) and send the userID plain and encoded through GET and then check the two, If the plain sent userID plus the secret string md5ed matches the encoded userID (which I generated using PHP on the page where the swf is embedded and passed using flashvars), the PHP script grants database access for all entries that belong to userID.