1

Possible Duplicate:
CSRF state token does not match one provided FB PHP SDK 3.1.1 Oauth 2.0
CSRF state token does not match one provided

I checked again and again with Devs facing a similar issue with Facebook API. The PHP-SDK logs an error on every run that says

CSRF state token does not match one provided.

The weird thing is, the intended application seems to work fine (It's a batch posting script and as soon as I reset the batch, it generates this error.)

So I tracked down to base_facebook.php in the PHP-SDK provided here. and changed this code (in here):

protected function getCode() {
    if (isset($_REQUEST['code'])) {
      if ($this->state !== null &&
          isset($_REQUEST['state']) &&
          $this->state === $_REQUEST['state']) {

        // CSRF state has done its job, so clear it
        $this->state = null;
        $this->clearPersistentData('state');
        return $_REQUEST['code'];
      } else {
        self::errorLog('CSRF state token does not match one provided.');
        return false;
      }
    }

to this one (just to track errors in the error log):

protected function getCode() {
    if (isset($_REQUEST['code'])) {
      if ($this->state !== null && isset($_REQUEST['state']) && $this->state == $_REQUEST['state']) {
        // CSRF state has done its job, so clear it
        $this->state = null;
        $this->clearPersistentData('state');
        return $_REQUEST['code'];
      } else {
        $add = '';
        if($this->state == null){
            $add .= ' state is null.';
        }
        if(!isset($_REQUEST['state'])){
            $add .= ' state is not set.';
        }
        if($this->state !== $_REQUEST['state']){
            $add .= ' states do not match.';
        }
        self::errorLog('CSRF state token does not match one provided.'. $add);
        return false;
      }
    }

    return false;
  }

On running the app again, I get the updated error to:

CSRF state token does not match one provided. state is null. states do not match.

now, $this->state() is NULL, I did not expect this to be the least of the errors in facebook sdk. I'm sure my app only generates one login url request, that too only if the user has no session with my app.

Help will be appreciated.

Community
  • 1
  • 1
whizzzkid
  • 1,174
  • 12
  • 30
  • 1
    This is not a duplicate. For the possible duplicates two tokens are generated that don't match. For this problem it appears that the facebook sdk doesn't have access to the persistent data that was set. Same symptoms, but a different problem. (I'm having the same issue) – Syntax Error Jan 22 '13 at 04:27
  • what can i do, to get it unlocked? – whizzzkid Jan 23 '13 at 05:46
  • I wasn't able to find a solution, and neither was a facebook api expert who looked at it. We ended up using the javascript SDK for gaining permissions and passing that token and userid to the server via ajax so we could do everything else in php. I'm not ususally a JS cheerleader, but it was only about 15 mins. to set up and there's no clunky redirecting involved. I'd recommend going that route. – Syntax Error Jan 23 '13 at 19:43
  • Also I flagged the question and explained in detail why it's not a duplicate. Maybe that will get it reopened, maybe not. – Syntax Error Jan 23 '13 at 19:48
  • Any luck on this finally? same issue – Jimmy Kane Nov 23 '13 at 16:29

0 Answers0