Have you commisioned a developer to build your Facebook application? Does this developer understand the difference between security in Facebook and normal web systems?

Session management is a critical part of any web system which requires authentication. We’ve noticed that a number of  Facebook applications are being developed incorrectly, using the standard way of handling sessions in PHP, and this approach will leave your applications wide open to intruders.

Sessions in PHP default to using a cookie to store the session ID, however with FBML (Facebook Markup Language), cookies are not possible. To fix this problem, the API session_key is used as the PHP session ID, like so:

session_id($facebook->api_client->session_key);
session_start();

Without the correct use of session management in your applications, you will be exposing them to security threats and this could lead to larger problems down the time.

Read about different types of Facebook applications..

[via: Wiki]