0

i am using facebook login on my website

downloaded facebook php sdk source from https://github.com/facebook/facebook-php-sdk

for facebook login, followed steps given at http://25labs.com/tutorial-integrate-facebook-connect-to-your-website-using-php-sdk-v-3-x-x-which-uses-graph-api/

on first instance it never logs in, only able to login through facebook after 2 attempts. CSRF error shows up everytime i try to login.

on digging in the code(base_facebook.php) further, came to know that on first login instance: $this->state is not equal to $server_info['state'], hence the CSRF error.

tried to find a solution to this error browsing through various posts, however, no success. please suggest a solution. thanks

웃웃웃웃웃
  • 11,829
  • 15
  • 59
  • 91
Bhavik
  • 92
  • 2
  • 5
  • 12
  • possible duplicate of [CSRF state token does not match one provided FB PHP SDK 3.1.1 Oauth 2.0](http://stackoverflow.com/questions/8977502/csrf-state-token-does-not-match-one-provided-fb-php-sdk-3-1-1-oauth-2-0) – CBroe Oct 30 '13 at 10:59
  • tried responses mentioned for above mentioned link, however, issue persists with CSRF error continue to appear in error log – Bhavik Oct 30 '13 at 11:56

1 Answers1

1

I had this problem too.

On my site I also set a cookie and $_SESSION variable by the name 'state'. This was causing a conflict with the Facebook class since the FB class uses the same key name.

Below is my resolution for others with this issue:

Facebook PHP SDK v3.2.3

What were going to do is swap out certain instances of 'state' with 'fb_state'.

EDIT (Marcus): I also swapped out all instances of $_REQUEST['state'] with $_GET['state']. This would force the application to get the 'state' value from the URL post user authorization as $_REQUEST will pick up any stored 'state' cookie you might already have. And in my case, there was one.

E.g. www.example.com/?code=AQA5cjNZ8iuZ...&state=48a4a0a89ebb0c568f713fabebcd4899#=

My previously stored 'state' cookie due to previous activity on my own site: ON

echo $_REQUEST['state']; // produces 'ON'

echo $_GET['state']; // produces 48a4a0a89ebb0c568f713fabebcd4899

On my site. And I wasn't about to go changing my site's method of storing cookies and session variables on the server just for the FB SDK.

Without changing $_REQUEST to $_GET, the getCode() function will return false because:

if ($this->state === $_REQUEST['state']) {

Will not resolve. The actual compare would be 48a4a0a89ebb0c568f713fabebcd4899 against 'ON' in my case.

src/facebook.php

public function __construct($config) {
    ...
    $state = $this->getPersistentData('state'); // line 67
    // change to
    $state = $this->getPersistentData('fb_state');

protected static $kSupportedKeys =
    array('fb_state', 'code', 'access_token', 'user_id'); // line 83

src/base_facebook.php

$state = $this->getPersistentData('fb_state'); // line 263

$this->clearPersistentData('fb_state'); // 730

$this->setPersistentData('fb_state', $this->state); // line 776

Hope this helps somebody in the future.

  • Marcus
mferly
  • 1,646
  • 1
  • 13
  • 19