13

some of the users on my site are experiencing a Laravel\Socialite\Two\InvalidStateException. I've taken the steps outlined in the replies to Laravel Socialite: InvalidStateException and have not been able to resolve the issue. Only a small percentage of users seem to be experiencing this.

I have 2 fpm/nginx docker containers sitting behind an HAProxy load balancer.

Ben
  • 60,438
  • 111
  • 314
  • 488
  • try the answer in https://stackoverflow.com/questions/29629287/laravel-5-geting-invalidstateexception-in-abstractprovider-php – Kareem Essawy Jan 22 '18 at 13:33
  • @KareemEssawy Commenting that out is a huge security issue – Ben Jan 22 '18 at 19:34
  • 1
    probably you can try in a dev environment what is causing the problem, is it the login function or something else , also do you use Socialite for OAuth authentication with Facebook ? – Kareem Essawy Jan 23 '18 at 13:17
  • Try this https://stackoverflow.com/questions/30660847/laravel-socialite-invalidstateexception – Anand Pandey Jan 25 '18 at 12:55
  • Just delete all sessions and let people sign-in again. – markus Jan 28 '18 at 09:51
  • @markus These folks are logging in for the first time. – Ben Jan 28 '18 at 21:02
  • Possible duplicate of [Laravel Socialite: InvalidStateException](https://stackoverflow.com/questions/30660847/laravel-socialite-invalidstateexception) – twigg Jan 25 '19 at 17:16

4 Answers4

10

This seems to be an invalid state issue in socialite package that is already resolved in this post.

Some of your users are accessing your website with a different url (https://www.example.com or https://example.com) hence causing the mismatching "state" in the sessions.

If you are on Larvel 5.3 and above... add a SESSION_DOMAIN=http://example.com in the .env file

For other versions go to your config/session.php file, and add your domain. 'domain' => 'www.example.com'

To apply changes immediately. Run 'php artisan cache:clear' and 'composer dump-autoload' Hopefully this should resolve the issue.

Syed Waqas Bukhary
  • 5,130
  • 5
  • 47
  • 59
5

I bet you that the issue is appearing because of the load balancer. Here's my theory:

  1. Sticky sessions: if your load balancer hasn't sticky session properly configured, it's possible for some users to start a new session on server 1 and on a following request it ends on server 2 which maybe is throwing the Laravel\Socialite\Two\InvalidStateException

  2. Request timeout: I'm not sure of this but, maybe your session lifetime isn't enough to complete some process that also throws the Laravel\Socialite\Two\InvalidStateException

Maybe if you change the laravel session storage to a decentralized database instead of the default text file configuration, the exception gets solved.

Adrian Piña
  • 198
  • 2
  • 8
  • The session is persisted in an external `redis` instance which both `nginx/fpm` containers share for session storage. Wouldn't that eliminate the **Sticky Sessions** theory? – Ben Jan 24 '18 at 04:46
  • Then yes, that's not a sticky sessions issue. Is the authentication via API? Reading about socialite with redis found this [socialite stateless authentication](https://laravel.com/docs/5.5/socialite#stateless-authentication) maybe this help. – Adrian Piña Jan 25 '18 at 03:42
  • So... maybe I'm misunderstanding stateless. After the user logs in, I use my token to get more data from their API. Would it be suitable for me to use stateless in this scenario? – Ben Jan 28 '18 at 01:19
  • Did you find out what was wrong? I mean, is your back end separated from your front end? Does your app authenticate users with an oauth or similar? – Adrian Piña Feb 01 '18 at 16:07
  • It randomly stopped showing up a week ago. Though I can confirm I haven't touched this process in 10+ days. So I have no idea – Ben Feb 01 '18 at 21:01
0

In your production env file just add SESSION_DOMAIN=http://example.com to be picked up by your config/session.php. For local development, you won't need that.

user573
  • 33
  • 2
0

replace

Socialite::driver('google')->user();

to this code

Socialite::driver('google')->stateless()->user();

any social (any social login like facebook github etc)

Mubashir Farooq
  • 41
  • 7
Ebenezery Jesus Navas
  • 3
  • 1