1

I'm using the A3M CodeIgniter library, with updated FB PHP-SDK 3.2.

I'm forced into updating from 2.x as Facebook retired their 'legacy' connection method the other day, and that's what the a3m framework used. So I updated to the SDK, and now cannot get the connect process working for a number of reasons:

  1. Infinite redirect of getLoginUrl()
  2. CSRF state token does not match one provided errors (not using getLoginUrl() if I get a user).
  3. User is ALWAYS 0, even tho I am logged in on FB.

I am really not sure what to do at this point.

My thoughts:

  • CodeIgniter could be stripping the response code / state ? Not sure
  • Authentication is failing / no errors being dropped other than CSRF error (not from CI!)
  • Many issues reported (especially on SO) with this infinite redirect from FB
  • Many issues reported on CSRF issue with PHP SDK.

REF:
https://github.com/facebook/facebook-php-sdk - FB SDK
https://github.com/pengkong/A3M-for-CodeIgniter-2.0 - A3M framework (which I am part of managing).

Ideas?

Jakub
  • 20,418
  • 8
  • 65
  • 92
  • I've experienced similar problems with the FB PHP SDK. One thing I always forget to check is that sandbox mode is enabled for local testing. Also, Chrome doesn't set domain cookies for localhost, which could cause issues (http://stackoverflow.com/a/8225269/222622) – devers Nov 01 '12 at 14:01
  • possible duplicate of [Why is Facebook PHP SDK getUser always returning 0?](http://stackoverflow.com/questions/6790272/why-is-facebook-php-sdk-getuser-always-returning-0) – Barmar Dec 26 '12 at 19:16

2 Answers2

2

Destroy the session with $facebook->destroySession() for getting user 0.

Regarding 2 Facebook SDK code has a bug when checking against tokens twice in the same handler.

I edited the getCode function of facebook.php like this: 

protected function getCode() {
    if (!isset($_REQUEST['code']) || !isset($_REQUEST['state']) || $this->state === null) {
      return false;
    }
    if ($this->state === $_REQUEST['state']) {
        // CSRF state has done its job, so clear it
        $this->state = null;
        $this->clearPersistentData('state');
        return $_REQUEST['code'];
    }
    self::errorLog('CSRF state token does not match one provided.');

    return false;
}

to be more clear and does not state invalid token if called twice.

To be clear the function can be called twice on the same url handler if eg:

$facebook->getUser(); and then in the same handler $facebook->getLogoutUrl() then the getCode() is called twice thus resulting into and invalid error message

Jimmy Kane
  • 16,223
  • 11
  • 86
  • 117
  • 1
    thanks, I previously solved this with a patch similar to what you proposed, marking as answer as it was the solution I used before. – Jakub Dec 01 '13 at 18:02
  • 1
    @Jakub it's a pity that FBSDK for php has so many bugs. Really hard to get things solved. – Jimmy Kane Dec 01 '13 at 18:08
  • @Jakub there is also a pull request https://github.com/facebook/facebook-php-sdk/pull/122 – Jimmy Kane Dec 01 '13 at 18:09
0

Try to replace fb_ca_chain_bundle.crt in modules/account/helper with the one from https://github.com/facebook/facebook-php-sdk/tree/master/src

Arie Agung
  • 108
  • 1
  • 8