Authorize and PHP-Session

Question

I'm trying to find a solution for hours - without success. So I hope that maybe one of you can help me with this: It seems like this script allways starts a new session - and I don't know why.

<?php

$code = $_REQUEST["code"];

if(empty($code)) {
 $_SESSION['state'] = md5(uniqid(rand(), TRUE)); 
 $dialog_url = "https://www.facebook.com/dialog/oauth?client_id=" 
   . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
   . $_SESSION['state']. "&scope=publish_actions,publish_stream";

 echo("<script> top.location.href='" . $dialog_url . "'</script>");
}

if($_SESSION['state'] && ($_SESSION['state'] === $_REQUEST['state'])) {
     $token_url = "https://graph.facebook.com/oauth/access_token?"
   . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
   . "&client_secret=" . $app_secret . "&code=" . $code;

 $response = file_get_contents($token_url);
 $params = null;
 parse_str($response, $params);
  $_SESSION['access_token'] = $params['access_token'];
}
else {
 echo("Sessionstate: ".$_SESSION['state']."<br>");
 echo("REQUEST_state: ".$_REQUEST['state']."<br>");
 echo("Sessionstatus stimmt nicht mit dem REQUEST_State &uuml;berein.");
 var_dump ($_REQUEST);
 exit;
}
?>

The session starts in an included file before this script is included with a regular:

 session_start();

I tried to pass the "state" with

 <form action="<?=$_SERVER['PHP_SELF'];?>?what=save&state=<?=$_SESSION['state'];?>" method="post" enctype="multipart/form-data">

from my index.php file.

Thanks for reading and for helping me.

Regards Christian.

Edit: Here's the link to the developer-blog: https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/

Answer 1

You should only start a session when there is no session. Do you save the session?

<?php
  if (!isset ($_COOKIE[ini_get('session.name')])) {
    session_start();
  }
?>