facebook oauth on mobile site CSRF state token does not match one provided

Question

i'm building facebook app to be accessed via mobile device and keep getting after the user accepts the app permissions and is returned to the original url:

CSRF state token does not match one provided.

however my redirect_uri is the same url sending the request. I've checked my facebook app settings and the app domain is entered correctly.

here's my code:

<?php
require 'facebook/src/facebook.php';

// Create our Application instance (replace this with your appId and secret).
$facebook = new Facebook(array(
  'appId'  => 'MY_APP_ID',
  'secret' => 'MY_SECRET',
));

// Get User ID
$user = $facebook->getUser();

if ($user) {
  try {
    // Proceed knowing you have a logged in user who's authenticated.
    $user_profile = $facebook->api('/me');
    $friends = $facebook->api('/me/friends');
  } catch (FacebookApiException $e) {
    error_log($e);
    $user = null;
  }
}
?>
<?php if ($user) { ?>
    <?php echo $user_profile['id']; ?><br />
    <pre><?php print_r($user_profile); ?></pre><br />
    <?php
    foreach($friends["data"] as $item){
                echo $item["name"]. ' - '. $item["id"]. '<BR>';
        }
    ?>

<?php }else{ ?>
<br />
<a href="https://www.facebook.com/dialog/oauth?client_id=MY_APP_ID&scope=email,publish_stream&display=touch&redirect_uri=<?php echo urlencode('https://www.domain.com/app/mobile.php?'); ?>">App.</a></body>
<?php } ?>

Try this: http://stackoverflow.com/questions/8977502/csrf-state-token-does-not-match-one-provided-fb-php-sdk-3-1-1-oauth-2-0 — Paul Dessert, Mar 22 '12 at 18:20
I saw that post and .htaccess isn't the issue here. this is on IIS with php. — FLcoder, Mar 22 '12 at 22:12

score 0 · Answer 1 · answered Mar 22 '12 at 18:27

This may not be useful as I am using IIS and ASP.NET sessions, but I suspect you might be seeing the same inconsistencies I have observed. I see problems with IE 6 and some specific mobile browsers, particularly the UP.Browser, not retaining session state on redirects. In ASP.NET the SessionID is usually stored in a browser cookie, and some of these mobile devices are not retaining the cookie. I see them get multiple SessionID values issued during one Session. Without the persistent SessionID they lose the ability to get the stored state value and the whole thing falls apart.

the test app is hosted on IIS with php enabled. so it maybe related to the issue. — FLcoder, Mar 22 '12 at 19:21

score 0 · Answer 2 · answered Mar 23 '12 at 11:14

0

I believe this was an IIS issue. I moved the exact same code over to a Linux server and it worked just fine.

answered Mar 23 '12 at 11:14

FLcoder

43
5

facebook oauth on mobile site CSRF state token does not match one provided

2 Answers2