Facebook SDK returned an error: Cross-site request forgery validation failed. The “state” param from the URL and session do not match

Question

i\'m trying to get Facebook user id using the php sdk like this

$fb = new Facebook\\Facebook([
    \'app_id\' => \'11111111111\',
    \'app_secret\' =>         


        

Answer 1

I got this error while using the Facebook SDK in Symfony2, writing a Twig Extension to display data from the API in templates.

The solution for me was adding 'persistent_data_handler'=>'session' to the Facebook object config, which causes the state data to be stored in a session key instead of memory:

$fb = new Facebook\Facebook([
    'app_id' => 'APP_ID',
    'app_secret' => 'APP_SECRET',
    'default_graph_version' => 'v2.4',
    'persistent_data_handler'=>'session'
]);

By default, it was using the built-in memory handler, which didn't work properly for me. Maybe because some functions are being called from within a Twig Extension, as the memory handler does work when using the SDK exclusively in normal controllers/services.

Apparently the state is set when you call getLoginUrl(), and is retrieved anytime you call getAccessToken(). If the saved state returns null (because your data handler isn't as persistent as it should be), the CSRF validation check fails.

If you need to treat sessions in a particular way or you want to store the state somewhere else, you can also write your own handler with 'persistent_data_handler' => new MyPersistentDataHandler(), using the FacebookSessionPersistentDataHandler as an example.

Answer 2

For me, the problem was that I wasn't running a session before the script.

So, I added session_start(); before instantiating the Facebook class.

Answer 3

The same issue occurred to me on laravel 5.4 i solved this issue by putting

session_start();

at the top of the script.

Below is the sample laravel controller namespace to give you a example how it will work.

<?php
namespace App\Http\Controllers;
session_start();
use Facebook\Facebook as Facebook;
?>

the issue is occurring because is has not yet started so by adding session start at the top of the script we are just starting the session.

hope it may help somebody..

Answer 4

The error is triggered if origin hostname is different than the target hostname [as Souch mentioned]. When visitors typed in URL address box as "http://website.com" that is different from "http://www.website.com". We redirect them to the correct URL, by adding the following codes at topmost position before session_start().

  if($_SERVER['HTTP_HOST']!=='www.website.com'){
  header('location: http://www.website.com');
  }

Answer 5

Easy fix for me. I changed:

$loginUrl = $helper->getLoginUrl('http://www.MYWEBSITE.ca/index_callback.php', $permissions);

to:

$loginUrl = $helper->getLoginUrl('http://MYWEBSITE.ca/index_callback.php', $permissions);

removing the 'www' solved the problem.

Answer 6

This is a common issue that many people facing in FB Api. this is only a SESSION problem. To solve this issue add some code like.

On callback script usually fb-callback.php add "session_start();" just before you include the facebook autoload file. and then "$_SESSION['FBRLH_state']=$_GET['state'];" after the "$helper = $fb->getRedirectLoginHelper();" line.

Example :

<?php 
session_start();
include 'vendor/autoload.php';
include 'config.php'; /*Facebook Config*/
$helper = $fb->getRedirectLoginHelper();
$_SESSION['FBRLH_state']=$_GET['state'];
try {
  $accessToken = $helper->getAccessToken();
} ?>