CSRF state token does not match one provided [duplicate]

Answer 1

getLoginUrl() generates a new token. If your user is already logged in (with $user_id = $facebook->getUser()), you'll end up with 2 tokens.

Don't ask for the $loginUrl if the user is authenticated already.

$user_id = $facebook->getUser();

if ($user_id) {
    $_SESSION['user_id'] = $user_id;
    echo ""; 
    exit;
} else {
    $loginUrl = $facebook->getLoginUrl(array(
        'scope' => 'publish_stream')
    );
}

?>