Facebook Like-Gating in IFRAME Tabs


Last year, I posted about how to show certain content to fans, and other content to non-fans using FBML. As FBML becomes deprecated, however, it’s time to show you the updated way using the Open Graph, the PHP SDK and IFRAMES.

The practice of showing some content to fans and other content to non-fans is generally called “like-gating”, and it’s a pretty common practice for large and small brands alike.

The reason for like-gating is that you’re asking the user to give you permission to send messages into their newsfeed (which will be the case if they “like” the page) in return for whatever is hidden behind your like-gate. Hopefully, whatever it is you’re giving fans-only feels like it’s worth it to your users – otherwise, like-gating can come off pretty as pretty sleazy. Be mindful of your users.

First off, we start the application normally, by requiring the Facebook PHP SDK. Obviously you have to have the Facebook SDK uploaded to a sub-directory of your app root, in a dir called ‘facebook-php-sdk’, and you have to change your AppID and your Secret to whatever Facebook gave you for the app you’ve created:

  'cookie' => true,

Facebook will return a signed request for every logged in user that loads your fan page tab. The signed request isn’t human readable, but is easily parsed using a simple function that unencodes it.

function grokSignedRequest() {
    if (isset($_REQUEST['signed_request'])) {
      $encoded_sig = null;
      $payload = null;
      list($encoded_sig, $payload) = explode('.', $_REQUEST['signed_request'], 2);
      $sig = base64_decode(strtr($encoded_sig, '-_', '+/'));
      $data = json_decode(base64_decode(strtr($payload, '-_', '+/'), true));
      return $data;
    return false;

If you do a print_r() on that signed request after it’s been run through the function, you’ll see something like this:

stdClass Object
[algorithm] => HMAC-SHA256
[issued_at] => 1307627872
[page] => stdClass Object
[id] => 116633947708
[liked] => 1
[admin] => 1

[user] => stdClass Object
[country] => us
[locale] => en_US
[age] => stdClass Object
[min] => 21

As you can see, they don’t give you a whole lot of information about the user – and understandably so, since the user hasn’t authorized your application by granting an “allow” yet. In fact, you can’t even get their Facebook ID or name from the signed request. What can CAN get is:

  • Page ID (which you probably already knew anyway)
  • Whether the viewing user has liked the page
  • Whether the viewing user is an admin of the page
  • Country and language (“locale”) of the user – this can be helpful with contents where the contest is only available in certain countries due to specific laws, or to provide content in multiple languages
  • Whether the user meets the criteria used in age-gating – over 13, 21+, etc

To access this data that you’ve just retrieved, you would do something like this:

// call the function to parse the signed request
$sr_data = grokSignedRequest();

// check like status
if ($sr_data->page->liked==1) {
	echo 'you are a fan';
} else {
	echo 'you are not a fan.';

// check admin status
if ($sr_data->page->admin==1) {
	echo '<li>Dude, you are an ADMIN! BADASS!';

While this method takes a bit more code, it’s actually better, IMHO. Previously, the fb:visible-to-connection FBML tag used CSS to hide and show content based on fan status. That means that clever people with just a basic level of web skills could view the source of the fan page or app and see the hidden content. This made the fan/no-fan model less than ideal for certain thing.

In the IFRAME version, the fan/no-fan status is being determined on the server-side, so there’s no opportunity for user shenanigans. They can view the source until their fingers bleed, and they will won’t have access to your like-gated content unless they like the page. (Odds are, that jerk is probably going to un-like your page immediately after getting your exclusive fan-only content, though.)

  • Bezetter

    Nice guide 🙂

  • You sir are the Badass!! I’ve followed four other tutorials, and couldn’t get them to work.

    You don’t link to the REQUIRED facebook.php zip archive:
    that for me had to be extracted, and uploaded to the Canvas Page folder, and the facebook-php-sdk/src/facebook.php code had to be changed to just
    facebook.php  but it worked!
    I finally have a Like Gate thanks to you!
    I’m actually using it to prevent a tutorial video from appearing once someone has already liked the page (and is obviously no longer in need of the tutorial, but will still have a link to play it again).
    WiseFB authorhttp://apps.facebook.com/fbscams/

    • I’m a ma’am, not a sir, but thanks for the kind words 🙂

  • Ansar

    I wanted to know if it was possible to know how many fans (like of the fan page) i got from a specific tab (application) on my fan page?

  • Ella

    Thank you, you saved me a lot of back pain from searching bad code 🙂