Facebook Sdk Returned an Error: Cross-Site Request Forgery Validation Failed. the "State" Param from the Url and Session Do Not Match

  • Home
  • Languages
  • PHP
  • Facebook Sdk Returned an Error: Cross-Site Request Forgery Validation Failed. the "State" Param from the Url and Session Do Not Match

Facebook SDK returned an error: Cross-site request forgery validation failed. The state param from the URL and session do not match

I found that as long as I enabled PHP sessions before generating the login url, and at the top of the script Facebook eventually redirects to, it works just fine on its own without setting a cookie (as per ale500's answer). This is using the 5.1 version of the sdk.

At the top of both scripts, I added...

if(!session_id()) {
    session_start();
}

...and it "just worked".

Here's a barebones complete example that worked for me:

auth.php

if (!session_id()) {
    session_start();
}

$oFB = new Facebook\Facebook([
    'app_id'     => FACEBOOK_APP_ID,
    'app_secret' => FACEBOOK_APP_SECRET
]);

$oHelper = self::$oFB->getRedirectLoginHelper();
$sURL = $oHelper->getLoginUrl(FACEBOOK_AUTH_CALLBACK, FACEBOOK_PERMISSIONS);

// Redirect or show link to user.

auth_callback.php

if (!session_id()) {
    session_start();
}

$oFB = new Facebook\Facebook([
    'app_id'     => FACEBOOK_APP_ID,
    'app_secret' => FACEBOOK_APP_SECRET
]);

$oHelper = self::$oFB->getRedirectLoginHelper();
$oAccessToken = $oHelper->getAccessToken();
if ($oAccessToken !== null) {
    $oResponse = self::$oFB->get('/me?fields=id,name,email', $oAccessToken);
    print_r($oResponse->getGraphUser());
}

Why?

As an additional note, this is explained in the Docs on the repo. Look at the warning on this page.

Warning: The FacebookRedirectLoginHelper makes use of sessions to store a CSRF value. You need to make sure you have sessions enabled before invoking the getLoginUrl() method. This is usually done automatically in most web frameworks, but if you're not using a web framework you can add session_start(); to the top of your login.php & login-callback.php scripts. You can overwrite the default session handling - see extensibility points below.

I'm adding this note because it's important to keep in mind should you happen to be running your own session management or if you're running multiple web servers in parallel. In those cases, relying upon php's default session methods won't always work.

Facebook SDK error: Cross-site request forgery validation failed. Required param state missing from persistent data

fb sdk error: Cross-site request forgery validation failed. Required param "state" missing from persistent data.

It has something to do with that you are going through the routine of calling getRedirectLoginHelper and $helper->getAccessToken() twice - once "on their own", and then again inside a try-catch block (copy&paste mistake, or unfortunate debug attempt maybe?)

I'm a bit too lazy to go check the SDK source right now, but I think it deliberately unsets the state parameter inside the session after the code was exchanged for a token, as part of making the whole process more secure - so that when you call getAccessToken a second time, it fails.


Related Topics

How to Get Page Number on Dompdf PDF When Using "View"

Having Two Different Sessions in Same Domain

Retrieve Data from Db and Display It in Table in PHP .. See This Code Whats Wrong with It

What Is the Meaning of []

Yii2 Translation Does Not Work

Stored Procedures, MySQL and PHP

Difference Between Mt_Rand() and Rand()

Increase PHP Script Execution Time

Php: Do Arrays Have a Maximum Size

Laravel 5.1: Keep Uploaded File as Old Input

How to Use Array_Unique on an Array of Arrays

Domxpath - Get Href Attribute and Text Value of an a Element

Differencebetween PHP Require and Include

Disable Add to Cart Button for an Array of Products Ids in Woocommerce

Simple File Upload Script

Edit Xml with Simplexml

Leverage Browser Caching, How on Apache or .Htaccess

PHP Function Variable Scope


Leave a reply



Submit