用户具有有效的访问令牌，换句话说，在某个时候登录到您的站点。 FB给你前端的会话数据，所以得到这样：

You can check if the user has a valid access token, in other words, was logged on to your site at some point. FB gives you the session data on the front end so get it like this:

    FB.getLoginStatus(function(response){
        //send the response to the back end in a json string
    });

然后使用旧版签名验证的修改版本在后端进行验证。它接缝工作。请让我知道，如果我错过了一些东西。
它只会告诉您用户标识，访问令牌与您的站点匹配。不需要卷曲电话。
它不告诉你，如果会话实际上是当前有效的，但是不要依赖它为您的银行系统或任何东西。

Then validate it on the back end using a modified version of the legacy signature validation. It seams to work. Please let me know if I'm missing something. It only tells you that the user id, access token match for your site. No curl calls needed. It doesn't tell you if the session is actually currently valid though so don't rely on it for your banking system or anything.

function validateFB_sessionObj($sessionObj){//pass me the session data object
   $sessionObj = $sessionObj->session;
   global $fb;//pull in the secret fb keys
   if (!is_object($sessionObj) || !isset($sessionObj->uid) || !isset($sessionObj->access_token) || !isset($sessionObj->sig)){
//       warning("facebook session object is lacking something", $sessionObj);
       return false;
   }
   $expectedSig = generateSig($sessionObj, $secret);
   if ($sessionObj->sig = $expectedSig){
     //  status("fb signature looks good");
       return true;
   } else {
    //   warning("facebook signature looks wrong", $sessionObj);
       return false;
   }
}

function generateSig($params, $secret){
   $string = $params->access_token . $params->uid . $secret;
   return md5($string);
}