-1

I am trying to login on my website using Facebook Authentication and it works fine . How ever when i access the Application by using https://apps.facebook.com/myApp then i get an error

The state does not match. You may be a victim of CSRF

Here is the code that i am using from facebook , I think there is a problem in

$my_url

 <?php 

   $app_id = "YOUR_APP_ID";
   $app_secret = "YOUR_APP_SECRET";
   $my_url = "https://www.example.com/login.php";

   session_start();
   $code = $_REQUEST["code"];

   if(empty($code)) {
     $_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
     $dialog_url = "https://www.facebook.com/dialog/oauth?client_id=" 
       . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
       . $_SESSION['state'];

     echo("<script> top.location.href='" . $dialog_url . "'</script>");
   }

   if($_REQUEST['state'] == $_SESSION['state']) {
     $token_url = "https://graph.facebook.com/oauth/access_token?"
       . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
       . "&client_secret=" . $app_secret . "&code=" . $code;

     $response = file_get_contents($token_url);
     $params = null;
     parse_str($response, $params);

     $graph_url = "https://graph.facebook.com/me?access_token=" 
       . $params['access_token'];

     $user = json_decode(file_get_contents($graph_url));
     echo("Hello " . $user->name);
   }
   else {
     echo("The state does not match. You may be a victim of CSRF.");
   }

 ?>
Yahoo
  • 4,093
  • 17
  • 59
  • 85

1 Answers1

0

You really should cheek out the SDK that facebook provides for FTP. Then you don't need to recreate any of the graph calls as it's all handled for you.

But there are two issues:

  1. You need to encode the entire return URL in the login call i.e.

    &redirect_uri=" . urlencode($my_url . "&state=" . $_SESSION['state']);

  2. If you want to pass data into an iFrame, you need to send it in a parameter called "app_data" - all other parameters will get removed. This app_data gets sent in the "signed request" so you need to decode the signed_request. Details http://developers.facebook.com/docs/authentication/signed_request/ (Again, use the facebook SDK as it makes handling the signed request easy!).

Robbie
  • 17,605
  • 4
  • 35
  • 72