Fix bug in CSRF state persistence when using shared sessions. #59

Merged
merged 1 commit into from Oct 15, 2013

Conversation

Projects
None yet
3 participants
Contributor

JohnnyGoods commented Jan 28, 2013

BaseFacebook loads the stored state in its constructor. However, at
that point, the shared session ID has not yet been initialized, so
getPersistentData() will return data from the non-shared-session cookie. Since
initSharedSession() depends upon state initialized in
BaseFacebook::__construct, just re-initialized the stored
state in the shared session situation.

Added appropriate tests to check CSRF state persistence with and without shared sessions.

Fix bug in CSRF state persistence when using shared sessions.
BaseFacebook loads the stored state in its constructor. However, at
that point, the shared session ID has not yet been initialized, so
getPersistentData() will return data from the non-shared-session cookie. Since
initSharedSession() depends upon state initialized in
BaseFacebook::__construct, just re-initialized the stored
state in the shared session situation.

Added appropriate tests to check CSRF state persistence with and without shared sessions.
Contributor

JohnnyGoods commented Jun 24, 2013

guys, what's the deal with completely ignoring pull requests?

it-can commented Oct 3, 2013

yes please fix this issue. This fix is not working for me btw...

Contributor

gfosco commented Oct 15, 2013

Thanks for your contribution!!

gfosco added a commit that referenced this pull request Oct 15, 2013

Merge pull request #59 from JohnnyGoods/master
Fix bug in CSRF state persistence when using shared sessions.

@gfosco gfosco merged commit 64fca94 into facebookarchive:master Oct 15, 2013

it-can commented Oct 18, 2013

I still see this error in my error log file. I use nginx & php-fpm.

Contributor

gfosco commented Oct 18, 2013

What error?

it-can commented Oct 21, 2013

NOTICE: PHP message: CSRF state token does not match one provided.

Contributor

JohnnyGoods commented Oct 21, 2013

There are many issues that can cause a CSRF state validation failure. This patch was submitted only to address one cause by a bug that failed to initialize the CSRF state in the shared session cookie (only when the argument sharedSession = true is passed to the constructor).

I'm guessing the issue you are facing may be due to a coding error. I would recommend tracing your code and looking for anything that could be causing you FB client to be re-initialized between the auth redirect and the confirmation on callback. Often this is a redirect prior to callback confirmation.

On Oct 21, 2013, at 2:58 AM, "M. Vugteveen" notifications@github.com wrote:

NOTICE: PHP message: CSRF state token does not match one provided.


Reply to this email directly or view it on GitHub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment