

Ask HN: Disqus authentication? - EGreg

I sometimes visit blogs I've never been to before, and they have IntenseDebate or DISQUS. What's strange is that these comment systems already know who I am, and my facebook uid, even though I have never been to that domain before.<p>Doesn't that violate http://www.insidefacebook.com/2008/12/26/widget-entrepeneurs-await-clarity-from-facebook-on-4th-party-connect-policy/<p>According to this policy,<p>"The widget developer can have a relationship with the site owner, but not directly with the user… The user has established a relationship with two parties: Facebook and the website. A widget developer should not create a third connection."<p>But it seems that somehow, DISQUS is saving the facebook uid it obtains, probably in its own session. That is my guess. So when I visit a new blog the widget recognizes me. I want to do the same, but I am just wondering if there was something I was missing.<p>I guess it's fine, but if someone else signs in on my facebook, DISQUS will continue to have the old identity for me on the blogs, not that of the person who signed into facebook.
======
megaman821
Disqus sets a login cookie. If you logged into Disqus using Facebook on any
site you will be logged into Disqus even if it is embedded on another site.

~~~
EGreg
Yeah but how did you log into Disqus using Facebook?

I guess the 2008 policy for 4th party widgets isn't in effect anymore?

That's fine, but also... how does DISQUS get around Safari's 3rd party cookie
problem? I guess they don't...

~~~
megaman821
Disqus makes a request vio OAuth to authenticate you via Facebook. It then
stores the authentication token which will authenticate you to Facebook in the
future until you revoke it.

Also by putting the Disqus javascript widget on your page you will probably
have cookies for: example.com disqus.com and example.disqus.com (if example
was your disqus site name).

~~~
EGreg
But how is disqus able to store the fbs_<appid> cookie which is returned,
under safari?

