5

I am creating a login system where I use a persons email address as a unique identifier in my DB. People can login using any openid provider such as google ect (also facebook), It will simply take the email and store that as a unique identifier in the users table in my sql DB. (means I dont have to worry about email verification, passwords ect and users dont have to register).

This works, by opening up a new window using a link/javascript, my php script is then directed to google or whoever the provider is. Then they enter there details, then google/ect will automaticly redirect the window back to my login script along with (if it worked) the user details (most importantly the email).

Now on the response I look at the email, look if its in my database, if not add it, if so, using $_SESSION, log a user into my site.

I have this working perfectly using the openid mechanism (google, yahoo, ect). I am trying to get it working with facebook also and having great difficulty. It is able to log a user into fb, grab a users email ect. However as soon as I try to log a user into my site, it does not work. For some reason it has a seperate session(inc seperate sessionid) for the new window I have opened (and my script + redirection runs in), then to the rest of my site?

Just wondering if anyone has any idea why this would be happening.

This is what the login script looks like (thats runs in the new window):

<?php 

   $app_id = "YOUR_APP_ID";
   $app_secret = "YOUR_APP_SECRET";
   $my_url = "YOUR_URL";

   session_start();
   $code = $_REQUEST["code"];

   if(empty($code)) {
     $_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
     $dialog_url = "https://www.facebook.com/dialog/oauth?client_id=" 
       . $app_id . "&redirect_uri=" . urlencode($my_url) . "&scope=email&state="
       . $_SESSION['state'];

     echo("<script> top.location.href='" . $dialog_url . "'</script>");
   }

   if($_REQUEST['state'] == $_SESSION['state']) {
     $token_url = "https://graph.facebook.com/oauth/access_token?"
       . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
       . "&client_secret=" . $app_secret . "&code=" . $code;

     $response = file_get_contents($token_url);
     $params = null;
     parse_str($response, $params);

     $graph_url = "https://graph.facebook.com/me?access_token=" 
       . $params['access_token'];

     $user = json_decode(file_get_contents($graph_url));
     echo("Hello " . $user->name);

     // try_register_or_login($user->email);

   }
   else {
     echo("The state does not match. You may be a victim of CSRF.");
   }

 ?>

source: https://developers.facebook.com/docs/authentication/

I have spent far to many hours trying to work this out myself. Any help would be much appreciated.

Mat
  • 202,337
  • 40
  • 393
  • 406
Josh Mc
  • 9,911
  • 8
  • 53
  • 66
  • 3
    if you are using cookies to store the session id (not using a session id as a GET parameter) make sure the session cookie is valid for all paths in your domain. the default is for the cookie to only be valid in the directory the session was started. So if your script is http://www.domain.com/dir/subdir/script.php, then the session cookie set in script.php will only be valid for files under the dir/subdir path. See http://php.net/manual/en/function.setcookie.php for more info about setting the cookie path – chris Jul 19 '11 at 15:54
  • Thats a very good point. I don't however think that is my problem, as I am able to get it to login using my openid alternative, and in this case, that is in the same directory as the facebook attempt. Thanks for suggestion. – Josh Mc Jul 20 '11 at 00:46
  • 1
    May it be could be as simple/silly as this. You are testing/using your site with the browser pointing to http://mysite.com and the App url entered in FB may contain "www". In that case, (by default setting) cookies will not be shared between them. – Thanashyam Jul 30 '11 at 03:15
  • 1
    It turned out I could fix all the problems I was having by the simple function call before session_start(); session_set_cookie_params (0,"/", ".domain.com"); Thanks for all the suggestions, how do I close a question, or set one of the reply's to the answer? Chris basically answered it for me. (without there being any propper question answer posts?) – Josh Mc Aug 07 '11 at 04:32

3 Answers3

8

In case anyone is experiencing this and don't know why or how to solve it:

I was having the same issue. My page redirected to another site, user do some stuff there and this site redirects him back to my site, and the session was lost in this step. The problem was with my cookies setup.

I was having the following apache directive:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict

And the problem was specifically with SameSite=Strict mode, as Strict value withheld the cookie from any cross-site usage.

Setting the value to Lax:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Lax

Solved the issue without compromising security, as Lax mode allow some GET cross-site request, as long as is a top level request.

Top level request occurs whenever the URL in the address bar changes because of this navigation. This is not the case for iframes, images or XMLHttpRequests.

Reference: Preventing CSRF with samesite cookie attribute

mdmg
  • 143
  • 3
  • 7
3

I believe the issue may have to do with crossing domains or potentially how the cookie is set.

For crossing domains, take a look at Cross domain cookies

Another possibility is the flags that are set with the cookie. I had this exact issue when I set the secure flag on a cookie and then tried to access it via a non secure (http) page. Also, if the httponly flag is set, it will cause problems for javascript. You can read about both flags at http://www.php.net/manual/en/function.setcookie.php

Community
  • 1
  • 1
Marty
  • 582
  • 4
  • 17
  • This was the problem, session_set_cookie_params (0,"/", ".domain.com"); followed by session_start(), fixed the issue. – Josh Mc Aug 10 '11 at 04:59
0

Asp.net:-

Note:- You are getting this problem because of this:- Plz click the URL to know the issue

In your browser displaying if your Unique sessionId's "SameSite" is showing Lax :- Click here to see

Answer:-

enter code here

  1. Add the following code in Web.config file

     <system.web> 
  <sessionState cookieless="false" cookieSameSite="None"/>
<system.web>

  2. Need to delete cookies from browser (we need delete cookie at least one time)

a) do it manually 2) Now your browser sessionId's "Same site" showing None like this :-

click here to see

it's working for me in asp.net web applicaton.

Amit Poonia
  • 19
  • 6