Facebook SDK returned an error: Cross-site request forgery validation failed. The state param from the URL and session do not match
I found that as long as I enabled PHP sessions before generating the login url, and at the top of the script Facebook eventually redirects to, it works just fine on its own without setting a cookie (as per ale500's answer). This is using the 5.1 version of the sdk.
At the top of both scripts, I added...
if(!session_id()) {
session_start();
}
...and it "just worked".
Here's a barebones complete example that worked for me:
auth.php
if (!session_id()) {
session_start();
}
$oFB = new Facebook\Facebook([
'app_id' => FACEBOOK_APP_ID,
'app_secret' => FACEBOOK_APP_SECRET
]);
$oHelper = self::$oFB->getRedirectLoginHelper();
$sURL = $oHelper->getLoginUrl(FACEBOOK_AUTH_CALLBACK, FACEBOOK_PERMISSIONS);
// Redirect or show link to user.
auth_callback.php
if (!session_id()) {
session_start();
}
$oFB = new Facebook\Facebook([
'app_id' => FACEBOOK_APP_ID,
'app_secret' => FACEBOOK_APP_SECRET
]);
$oHelper = self::$oFB->getRedirectLoginHelper();
$oAccessToken = $oHelper->getAccessToken();
if ($oAccessToken !== null) {
$oResponse = self::$oFB->get('/me?fields=id,name,email', $oAccessToken);
print_r($oResponse->getGraphUser());
}
Why?
As an additional note, this is explained in the Docs on the repo. Look at the warning on this page.
Warning: The FacebookRedirectLoginHelper makes use of sessions to store a CSRF value. You need to make sure you have sessions enabled before invoking the getLoginUrl() method. This is usually done automatically in most web frameworks, but if you're not using a web framework you can add session_start(); to the top of your login.php & login-callback.php scripts. You can overwrite the default session handling - see extensibility points below.
I'm adding this note because it's important to keep in mind should you happen to be running your own session management or if you're running multiple web servers in parallel. In those cases, relying upon php's default session methods won't always work.
Facebook SDK error: Cross-site request forgery validation failed. Required param state missing from persistent data
fb sdk error: Cross-site request forgery validation failed. Required param "state" missing from persistent data.
It has something to do with that you are going through the routine of calling getRedirectLoginHelper and $helper->getAccessToken() twice - once "on their own", and then again inside a try-catch block (copy&paste mistake, or unfortunate debug attempt maybe?)
I'm a bit too lazy to go check the SDK source right now, but I think it deliberately unsets the state parameter inside the session after the code was exchanged for a token, as part of making the whole process more secure - so that when you call getAccessToken a second time, it fails.
Related Topics
How to Get Page Number on Dompdf PDF When Using "View"
Having Two Different Sessions in Same Domain
Retrieve Data from Db and Display It in Table in PHP .. See This Code Whats Wrong with It
Yii2 Translation Does Not Work
Stored Procedures, MySQL and PHP
Difference Between Mt_Rand() and Rand()
Increase PHP Script Execution Time
Php: Do Arrays Have a Maximum Size
Laravel 5.1: Keep Uploaded File as Old Input
How to Use Array_Unique on an Array of Arrays
Domxpath - Get Href Attribute and Text Value of an a Element
Differencebetween PHP Require and Include
Disable Add to Cart Button for an Array of Products Ids in Woocommerce