Getting different values for $_SESSION["FBRLH_state"] and $_GET['state'] on fb callback

[marcelopiomsf]

Hey Guys,

I'm developing my website ---- and I'm having an issue with my Facebook callback page. I'm getting this error: Facebook SDK returned an error: Cross-site request forgery validation failed. The "state" param from the URL and session do not match..

I was reading Facebook PHP SDK and I found that when you call $fb->getRedirectLoginHelper() a new value for $_SESSION["FBRLH_state"] will be assigned so when I call it again on my callback (because I need to get the accessToken) , a error will happen because ($_SESSION["FBRLH_state"] != $_GET['state']);

https://github.com/facebook/facebook-php-sdk-v4/blob/master/src/Facebook/Helpers/FacebookRedirectLoginHelper.php

public function __construct(OAuth2Client $oAuth2Client, PersistentDataInterface $persistentDataHandler = null, UrlDetectionInterface $urlHandler = null, PseudoRandomStringGeneratorInterface $prsg = null)
    {
        $this->oAuth2Client = $oAuth2Client;
        $this->persistentDataHandler = $persistentDataHandler ?: new FacebookSessionPersistentDataHandler();
        $this->urlDetectionHandler = $urlHandler ?: new FacebookUrlDetectionHandler();
        $this->pseudoRandomStringGenerator = PseudoRandomStringGeneratorFactory::createPseudoRandomStringGenerator($prsg);
    }

Index page:

$fb = $this->facebook;
$helper = $fb->getRedirectLoginHelper();
$permissions = ['email','public_profile','user_friends'];
$loginUrl = $helper->getLoginUrl('https://fleacollege.com/login/facebook', $permissions);

//passing url from controller to view :
$this->view->facebookURL = $loginUrl;

Callback page:

$fb = $this->facebook;
$helper = $fb->getRedirectLoginHelper();

try {
$accessToken = $helper->getAccessToken();
} catch(Facebook\Exceptions\FacebookResponseException $e) {
// When Graph returns an error
echo 'Graph returned an error: ' . $e->getMessage();
exit;
} catch(Facebook\Exceptions\FacebookSDKException $e) {
// When validation fails or other local issues
echo 'Facebook SDK returned an error: ' . $e->getMessage() . "</br>";
exit;
}

$accessToken = $helper->getAccessToken();
echo $_SESSION["FBRLH_state"] . "</br>";
echo $_GET['state'];

return from echo:

e7fca1bfcb37fe3262468c068b72a3de
e0eec1b15428c9429846d2b41753473f

Anyone know why this is happening? I just followed https://developers.facebook.com/docs/php/howto/example_facebook_login/5.0.0

[SammyK]

This is no doubt related to #470.

What browser are you testing this with? And what is the server configuration?

[marcelopiomsf]

@SammyK I'm using Firefox and I'm running PhalconPHP framework on Apache2/Ubuntu.

Now I'm using JavaScript SDK, so I'm not having any problems.

[SammyK]

I spent about 2 hours on Friday step-debugging this issue on Chrome & Safari and everything checked out. So there has to be a specific environment that's throwing this off. I know I heard from several MAMP people that they were having this issue. My version of MAMP is broken since I've used VM's for several years now. I'll try to step debug this on a working version of MAMP if I can replicate the issue, but so far I haven't been able to. :/

[marcelopiomsf]

@SammyK If you want I can try to replicate this issue and send you whatever you want.

[SammyK]

That'd be swell! :) If you can replicate the issue, it'd be great to narrow down which environments cause it.

[marcelopiomsf]

I think that I'll try to set up an VPS with this error and make it available for you to access, what you think @SammyK ?

[SammyK]

That would be great - thanks! :)

[sachintaware]

@marcelopiomsf @SammyK Thank you guys for working on this,looking forward resolve it. (Y)
Cheers

[SammyK]

@sachintaware No problem. :)

[sachintaware]

@marcelopiomsf Please update once the VPS is set.I would like to dive in! :)

[ainehickey]

Don't know if this is any help but I'm getting the same issue with facebook/php-sdk-v4 (5.1.1). But when I rollback to facebook/php-sdk-v4 (5.1.0), it works.

[yguedidi]

Hi all, please try #537, it's a 2min fix. I hop it will work for you.

[yguedidi]

OK, I think i found the cause of the bug. Can you please try to add a session_start() call befor everything?

[gfosco]

Nice, @yguedidi !

Tagged 5.1.2 release with this fix.

[GQwebsites]

I had the same issue, I'm running on homestead virtual box vagrant. I went to my profile settings on Facebook, deleted the app from app settings, then ran the process again and got it to work. I'm trying to replicate the problem, but no luck

[zratan]

insert this code after $helper = $fb->getRedirectLoginHelper();

$_SESSION['FBRLH_state']=$_GET['state'];
and it wil work or for more detail visit facebook login apps

[bunlongheng]

@zratan : I tried add

$_SESSION['FBRLH_state']=$_GET['state'];

after this line

$helper = $fb->getRedirectLoginHelper();

I still seeing this

[bunlongheng]

@SammyK : Do you ever have a solution for this ? I'm using your "sammyk/laravel-facebook-sdk": "~3.0",

[SammyK]

@bunlongheng What's the exact version of the PHP SDK that you have installed? The latest version (5.3.1) shouldn't require this hack. :)

[bunlongheng]

I'm not sure, this is what I have in my compoer.json

"require": {
        "php": ">=5.5.9",
        "laravel/framework": "5.1.*",
        "illuminate/html": "^5.0",
        "laracasts/utilities": "~2.0",
        "barryvdh/laravel-debugbar": "^2.0",
        "sammyk/laravel-facebook-sdk": "~3.0",
        "doctrine/dbal": "^2.5"
    },
    "require-dev": {
        "fzaninotto/faker": "~1.4",
        "mockery/mockery": "0.9.*",
        "phpunit/phpunit": "~4.0",
        "phpspec/phpspec": "~2.1"
    },

Please let me know what I should do to fix this issue.

[SammyK]

Try updating the package:

$ composer update sammyk/laravel-facebook-sdk

[bunlongheng]

So now, after the update, I shouldn't have to comment out this line

/Applications/MAMP/htdocs/---/vendor/facebook/php-sdk-v4/src/Facebook/Helpers/FacebookRedirectLoginHelper.php

//$this->validateCsrf();

any more ? I'll try it again now to see if I can reproduce it.

[SammyK]

Yes, please don't disable CSRF protection. :)

[bunlongheng]

I still facing the same issue, after updating. :(

Screenshot

I even record a video for you as well

sign-in via facebook error .mov.zip

Please let me know what else, I can provide. :)

[SammyK]

In the video it looks like you're using the PHP SDK v5.2.0 which has this bug in it. Did you run composer update sammyk/laravel-facebook-sdk? That should get it up-to-date with the latest version of the PHP SDK as well. You can also try composer update facebook/graph-sdk

[bunlongheng]

I tried sudo composer update sammyk/laravel-facebook-sdk I got

Loading composer repositories with package information
Updating dependencies (including require-dev)
Nothing to install or update
Generating autoload files
php artisan clear-compiled
php artisan optimize
Generating optimized class loader

I tried sudo composer update facebook/graph-sdk I also got

Loading composer repositories with package information
Updating dependencies (including require-dev)
Nothing to install or update
Generating autoload files
php artisan clear-compiled
php artisan optimize
Generating optimized class loader

I'm really not sure what else to check now.

[ImFireblade]

I'm having the same problem. I have the latest version and i'm using lumen

What should i do?
Thank you.

[yguedidi]

Try to dump your session storage, check which value of the state param is in it, it must match the one commit from $_GET to make things work

[puneetthakur66]

@ImFireblade Could you share what you used to get this fixed, I am facing same problem.