UPDATE: Apparently, you can pass variables in using Facebook’s app_data parameter, and then grab them by parsing out the signed request. Hard to say which is now the easier solution, but here’s another option, for whatever it’s worth. I guess it would be the way to go if you wanted to keep data out of the URL, or if you want a solution that also works outside of Facebook.

Here’s a trick to let you Facebook app developers do a couple of things that are typically considered impossible.

Let’s say you have a Facebook app with a Page Tab, and you want to pass it some dynamic variables from an external site or a share post. While you can link directly to a tab by appending an ?sk=app_┬áto the page URL (example), any custom, non-Facebook variables appended to the URL won’t be passed through to your tab page.

Another problem: Let’s say that tab page has links to sub-pages that load within the main tab iFrame (a la target=”_self”). That’s all easy enough, and pretty common. But what happens when you want to link to sub-sections of your tab page from an external site or share post?

You can’t get variables in through the “front door” so to speak, but you can pass them around the back, using what I call “the cookie trick” (or, inexplicably, “cookie party,” when it’s late in the office and we’re all loopy and/or drunk). The trick involves using a redirect that stores dynamic variables in a cookie, and then sends a user to the tab. When the tab loads, it grabs the data it needs from the cookie, and then deletes it. It’s completely transparent to the end-user.

Here’s all it takes. First, a redirect script:

$var = (empty($_GET['var'])) ? false : $_GET['var'];
if ($var) { setcookie('myapp_var', $var, time()+3600); }
header('Location: '.$fb_app_url);

Then, your main tab page just needs to check for the cookie, get what it needs, and then delete it:

$var = (empty($_COOKIE['myapp_var'])) ? false : $_COOKIE['myapp_var'];
if ($var) {
	setcookie('myapp_var', '', time()-86400);
	// Do stuff with $var...

Voila. You just send your vars to something like redirect.php?var=foo, and they’re slipped to your tab via the cookie.

If you want to link to a sub-page, just pass the sub-page path into your redirect.php as a variable, and then use a PHP header() redirect, or output a line of Javascript to send your users where they need to go.

Here’s an example of a deep-link to one of four mini-games in a Page Tab I built for The Black Eyed Peas Experience game: http://promethiumtorch.com/bep/redirect.php?goto=whatsyourgroove


  • juanmatias

    juanmatias juanmatias

    Reply Author

    Ey, Thanks. I didn’t use your method as you describe it (with PHP), but it inspired me to implement it in Javascript… good idea to skip all those security checks FB has…. I was looking for a way to have a form in a FB app, then submit it to an external page and go back to the app but in a “thank you” page. I can’t create a new app because a user would have direct access… so, I set a cookie when the form is submited and then, when I load the app again, after the form submition external page, I check for the cookie and redirect the FB iframe to a thanks page.
    So, thank you, dude.

    Posted on

  • Lud

    Lud Lud

    Reply Author


    Posted on