facebook php login CSRF

Question

I am trying to build a facebook user login with php. I am able to get user info but every login creates an error log on my server CSRF state token does not match one provided. after login success.

I have found many tutorials around google for creating a facebook login. I have also found a few other posts for the same issue. They seem to blame calling getLoginUrl() more than once, which I am not doing. And since I am using the example that comes with the sdk, I am confused why it is broken out of the box.

<?php
    require 'facebook.php';

    $facebook = new Facebook(array(
        'appId'  => 'APP_ID',
        'secret' => 'APP_SECRET',
    ));

    $user = $facebook->getUser();

    if ($user) {
        try {
            $user_profile = $facebook->api('/me');

            $logoutUrl = $facebook->getLogoutUrl();
            echo "<a href=" . $logoutUrl . ">Logout</a><br><br>";
            print_r($user_profile);

        }
        catch (FacebookApiException $e) {
            error_log($e);
            $user = null;
        }
    }
    else {
        $loginUrl = $facebook->getLoginUrl();
        echo "<a href=" . $loginUrl . ">Login</a>";
    }
?>

Have you allowed your URL in the app settings on facebook developper site? — Simon Boudrias, Nov 04 '12 at 02:24
Yes I have. Anywhere I could find to put a URL I have entered my domain. — Zach J, Nov 04 '12 at 20:28

score 0 · Answer 1 · answered Dec 01 '13 at 15:30

Facebook SDK code has a bug when checking against tokens twice in the same handler.

I edited the getCode function of facebook.php like this:

protected function getCode() {
    if (!isset($_REQUEST['code']) || !isset($_REQUEST['state']) || $this->state === null) {
      return false;
    }
    if ($this->state === $_REQUEST['state']) {
        // CSRF state has done its job, so clear it
        $this->state = null;
        $this->clearPersistentData('state');
        return $_REQUEST['code'];
    }
    self::errorLog('CSRF state token does not match one provided.');

    return false;
}

to be more clear and does not state invalid token if called twice.

To be clear the function can be called twice on the same url handler if eg:

$facebook->getUser(); and then in the same handler $facebook->getLogoutUrl() then the getCode() is called twice thus resulting into and invalid error message

facebook php login CSRF

1 Answers1