CSRF state token does not match one provided [duplicate]

前端未结

关注

 4  977

礼貌的吻别

相关标签:

4条回答

感动是毒

2021-01-06 05:35

Although it is not stated in the Facebook PHP API documentation, you have to have apache configured for PHP sessions for the login process to work. That turned out to be the problem we encountered when we were getting the "CSRF state token does not match one provided".

Make sure if you are using a server pool that you have it set up to use memcache for session information, otherwise apache will write the session information locally and if the next request doesn't go to the same server you will get the "CSRF state token does not match one provided".

This was one of those things that worked like a charm in a development environment (with one server) but failed in production.

We also had to reconfigure our CDN settings to make sure we were passing through the PHP Session cookie.

0 讨论(0)
发布评论:

提交评论
- 加载中...

鱼传尺愫

2021-01-06 05:50

getLoginUrl() generates a new token. If your user is already logged in (with $user_id = $facebook->getUser()), you'll end up with 2 tokens.

Don't ask for the $loginUrl if the user is authenticated already.

$user_id = $facebook->getUser();

if ($user_id) {
    $_SESSION['user_id'] = $user_id;
    echo "<script>top.location.href = 'https://www.example.com/app-folder/welcome'</script>"; 
    exit;
} else {
    $loginUrl = $facebook->getLoginUrl(array(
        'scope' => 'publish_stream')
    );
}

0 讨论(0)

北荒

2021-01-06 05:53
I had to do the following:
1. Use PHP SDK's getLoginUrl only on the first page (ie. login/index) and remove it from all the other pages.
2. Use FB.getLoginStatus() from the Javascript SDK and fallback to the FB.login() or a redirect to the login/index page
3. Check the FB.getLoginStatus() before you attempt anything that might require a valid access_token
I'm convinced that the main issue was the fact that I called getLoginUrl on every single page.

Since I made these changes I only get the "CSRF state token" error in the logs when robots hit my pages.
0 讨论(0)
发布评论:

提交评论
- 加载中...
礼貌的吻别

2021-01-06 05:53
work-around :
go to base_facebook.php

look for the protected function getCode() this is the problem.
the $this->state variable doesn't stay saved for off-site navigation (natural)

replace this:
```
if ($this->state !== null &&
isset($_REQUEST['state']) &&
$this->state === $_REQUEST['state']) {
```
with this:
```
if ($_REQUEST['state'] != '' && $_REQUEST['code'] != '') {
```
And it's going to work just good

G@bri3l
0 讨论(0)
发布评论:

提交评论
- 加载中...

热议问题