There are still some issues with facebook flash api vs. facebook communication. Some of them, you as an application developer, will never get into, but general user will. For example, when new user comes into your facebook iframe flash application for a first time, the first thing he see is “Allow Access?” window:

After clicking “Allow”, you should serve user your flash app. But, notice there is no fb_sig_session_key parameter in facebook iframe src. So you wount be able to verify user session with:

if(parameters.fb_sig_session_key)
    session.verifySession();
else
    session.login()

… and new window is opened instead (that handles the session) so users get confused…

Solution 1

After some thinking I came to this idea. Once user allowed your app, it is enough to refresh page and the session parameter is available, this can be done in javascript:

FB.Bootstrap.requireFeatures(["Connect"], function(){
    FB.Facebook.init(api_key, xd_receiver);

    // open facebook "Allow Access" window:
    FB.Connect.requireSession(function() {
        // user clicked on "Allow"
        // ask for fb_sig_session_key parameter if not found
        if(!getRequestParameter("fb_sig_session_key")){
            // lets ask for it with simple refresh
            top.location =  "http://apps.facebook.com/MYAPPNAME/";
        }else{
            // we have fb_sig_session_key, ready for flash app
        }
    });
}

// support function, you can use your own test
function getRequestParameter(name){
    name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
    var regex = new RegExp("[\\?&]" + name + "=([^&#]*)");
    var results = regex.exec(window.location.href);
    return results == null ? "" : results[1];
}

Solution 2

Update: I just discovereded, there is a cleaner solution, as the authorizing application spec says. It states there that:

Facebook passes the following parameters to your application when a user interacts with your application:
fb_sig_added: If set to true, then the user has authorized your application.
…

Facebook passes the following parameters only if fb_sig_added is true (that is, if the user has authorized your application):
fb_sig_session_key: …

Facebook offers server side or client side login request (read section How Users Can Authorize an Application) in combination with Post-Authorize Redirect URL. Solutions works this way:

1. new user comes to your app
2. your app (client side or server side) redirects user to original facebook page where user can authorize your application (see image)
3. after authorization user is redirected to your app again (Post-Authorize Redirect URL used, typically, you want to make this URL your canvas page)
4. BEHOLD user is back on your app with fb_sig_session_key

Here is some code for server side redirect:

<?php
require_once 'facebook.php';

$appapikey = 'YOUR API KEY';
$appsecret = 'YOUR APPLICATION SECRET';
$facebook = new Facebook($appapikey, $appsecret);
$user = $facebook->require_login();

… or use client side (FBML) code to redirect:

<fb:if-is-app-user>
  <!-- your normal code -->
  <fb:else>
   <fb:redirect url="http://www.facebook.com/login.php?v=1.0&api_key=[your_app_key]&next=[your_canvas_page_URL]&canvas="/>
  </fb:else>
</fb:if-is-app-user>