FacebookRedirectLoginHelper - let's not regenerate CSRF token #613
Conversation
…one already exists
|
Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please sign up at https://code.facebook.com/cla - and if you have received this in error or have any questions, please drop us a line at cla@fb.com. Thanks! |
|
Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Facebook open source project. Thanks! |
ghost
added
the
|
This is great stuff! Thanks! This should knock out most of the issues we've been having for a very long time with the CSRF (#583). I'm going to finish this one off by resetting the state after someone successfully obtains an access token so that the same CSRF token isn't being used every time. |
When
FacebookRedirectLoginHelper::getLoginUrl()is called it should first check if a CSRF token (calledstatein the source code) has already been generated and use the existing one if it has.Right now any time the method is called, a new CSRF token is generated. That means if the method is called more than once, only the last URL will be working which is a problem.
What if the user opens up a webpage in multiple tabs at once? Then he will only be able to use Facebook login in the last tab. And if you forget to put favicon.ico on your website, then he will only be able to use Facebook login in IE :) (see #583 for details).