Reading the documentation:

  1. Facebook will always send a signed_request (for canvas and page urls)
  2. If it's a page, Facebook will add an extra parameter called page

so based on this, you could do something like:

if( isset($_REQUEST['signed_request']) ) {
    // We are in Canvas or Page now

    // Let's extract the data from the signed_request 
    // to check if we are inside a Facebook Page
    $app_secret = "APP_SECRET";
    $data = parse_signed_request($_REQUEST["signed_request"], $app_secret);

    if( isset($data["page"]) ) {
        echo "Page";
    } else {
        echo "Canvas";
} else {
    echo "None, or something went wrong!";

function parse_signed_request($signed_request, $secret) {
    list($encoded_sig, $payload) = explode('.', $signed_request, 2); 

    // decode the data
    $sig = base64_url_decode($encoded_sig);
    $data = json_decode(base64_url_decode($payload), true);

    if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
        error_log('Unknown algorithm. Expected HMAC-SHA256');
        return null;

    // check sig
    $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
    if ($sig !== $expected_sig) {
        error_log('Bad Signed JSON signature!');
        return null;

    return $data;

function base64_url_decode($input) {
    return base64_decode(strtr($input, '-_', '+/'));

  • 16
Reply Report
      • 1
    • Is this still the case? When I experiment, a signed_request is only posted when the user lands on the canvas url. Subsequent pages do not get it.
    • When tested; I am getting the signed_request; but can't detect page parameter; would you please consider update to date?

I also had to add website in the criteria. This is my Yii code

    if(empty($_POST['signed_request']) === false)
        $signedRequest  =   Yii::app()->fb->getSignedRequest(); 

            $this->layout   =   'tab';          

    else if(isset($signedRequest['user']) && ! isset($signedRequest['page']))
        $this->layout   =   'canvas';
        $this->layout   =   'website';  
  • 0
Reply Report

Thanks to @ifaour solution; I had to modify it to get it work;

This what worked for me; I noticed that signed request is only sent when site is loaded under canvas; but when direct access then no signed request is sent.

So I ended using this code:

if( !isset($_SESSION['signed_request']) && empty($_SESSION['signed_request']) ) {
    exit("direct access not allowed.");

    // echo 'Canvas';
    // continue script
  • 0
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags

Related Questions