1

I've got a problem with my FB apps with Internet Explorer 7.

I'm using this piece of code, provided by FB some time ago :

$auth_url = "http://www.facebook.com/dialog/oauth?client_id=" 
        . FACEBOOK_APP_ID . "&redirect_uri=" . urlencode(CANVAS_PAGE . 'index.php') . "&scope=user_likes,publish_stream";

$signed_request = $_REQUEST["signed_request"];

list($encoded_sig, $payload) = explode('.', $signed_request, 2); 

$data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);

// If first time we use the application -> ask for permissions
if (empty($data["user_id"]))
{
    echo("<script> top.location.href='" . $auth_url . "'</script>");
}   
// else display the page code
else
{
    }

Using this code, the page loads correctly but then, after 1 second, it reloads and so on, so it gets impossible to use.

By uncommenting the line

    echo("<script> top.location.href='" . $auth_url . "'</script>");

the problem is solved (btw, in my case, the code should not execute this line... It is SO strange that uncommenting a non-used line of code solves my problem but anyway...)

After reading some forums, I had the impression that this issue was a P3P header related one. So I tried to add this line:

header('P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"');

after the body tag. I also tried to add it just before the body tag, and I finally tried to add it as a meta tag:

<meta http-equiv="P3P" content='CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM CURa ADMa PHY ONL COM STA"'>

but none of these 3 options worked for me, and my app still loads eternally.

Anybody has a clue?

Thanks in advance!

Well, I read some forums relating the same problem :

but none of these solutions worked for me, I still have this eternal reloading page problem.

I also read a forum which I thought would solve my problem - http://adamyoung.net/IE-Blocking-iFrame-Cookies - but again... no luck.

Can anybody help me???

Sampson
  • 265,109
  • 74
  • 539
  • 565
thomaus
  • 6,170
  • 8
  • 45
  • 63
  • if you do a print_r($data); instead of the redirect, what do you get? – fredrik Nov 07 '11 at 21:33
  • Nothing happens in this case. If I uncomment this line: echo(""); the bug is fixed. The problem is that I absolutely need this line foe the Auth dialog, the first time a user enters my app. – thomaus Nov 08 '11 at 10:41
  • yes, it seems that you dont get response back after returning from the auth dialog. Try printing $_REQUEST["signed_request"]; and see if there is anything in that. – fredrik Nov 08 '11 at 14:36
  • Maybe I was unclear. If I output $data I get : Array ( [algorithm] => HMAC-SHA256 [expires] => 1320771600 [issued_at] => 1320767183 [oauth_token] => AAAC13ErcOq0BACZAxxabgZADUHq3aEcNdBopCZBZAPLgVTMXFz1g25ZBqr1WbEsX5QWXnsqLwIPVlAxWbIyHC6cGOvx5qDZBlNi5knz9rORAZDZD [user] => Array ( [country] => es [locale] => en_US [age] => Array ( [min] => 21 ) ) [user_id] => 719597603 ) – thomaus Nov 08 '11 at 15:47
  • And if I out put the signed request, I get a signed request which seems to be all right. I thought you wanted me to do a print_r($data) instead of the redirect line. In this case, as I said, I don't get anything, which is normal: it should be impossible for the script to enter the "if (empty($data["user_id"]))" condition, since $data['user_id'] is NOT empty. But if I leave the "echo("");" line, then script gets broken. I never saw something so weird! – thomaus Nov 08 '11 at 15:52
  • and this only happens in IE7? makes no sense :P are you sure that $data["user_id"] is set when you use IE7? I'll try to set this up – fredrik Nov 08 '11 at 21:57
  • Would you mind testing if this is caused by double page load in iframe, once without signed request. I've run into this bug before, but have never tried to check for this – DannyKK Nov 09 '11 at 07:52
  • Forget the P3P stuff and anything else about cookies, they have no bearing on this code. But just to be clear, you are saying that if you print_r($data) just before the `empty` test, you see an array element called user_id, but the conditional executes anyway? And this only happens in IE? It really does sound impossible...is the code you have shown really all there is? Any change if you put an `exit;` statement right after the `echo` line? – Floyd Wilburn Nov 09 '11 at 08:35

2 Answers2

3

Couldn't get you code to work either, it just reloaded. Seems $_REQUEST["signed_request"] was never set.

But I got it to work with the code from http://developers.facebook.com/docs/authentication/

   <?php
   $app_id = "your app id";
   $app_secret = "your app secret";
   $my_url = "your app url";

   session_start();
   $code = $_REQUEST["code"];

   if(empty($code)) {
     $_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
     $dialog_url = "http://www.facebook.com/dialog/oauth?client_id=" 
       . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
       . $_SESSION['state'];

     echo("<script> top.location.href='" . $dialog_url . "'</script>");
   }

   if($_REQUEST['state'] == $_SESSION['state']) {
     $token_url = "https://graph.facebook.com/oauth/access_token?"
       . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
       . "&client_secret=" . $app_secret . "&code=" . $code;

     $response = file_get_contents($token_url);
     $params = null;
     parse_str($response, $params);

     $graph_url = "https://graph.facebook.com/me?access_token=" 
       . $params['access_token'];

     $user = json_decode(file_get_contents($graph_url));
     echo("Hello " . $user->name);
   }
   else {
     echo("The state does not match. You may be a victim of CSRF.");
   }

That said, I would recommend you to use the Facebook PHP SDK, http://developers.facebook.com/docs/reference/php/ that makes programming facebook apps easier.

EDIT: using the PHP SDK

To authenticate with the PHP SDK, you would do something like the following:

// update this to where you've stored the facebook PHP SDK
require '../src/facebook.php';

$facebook = new Facebook(array(
  'appId'  => 'your app id',
  'secret' => 'your app secret',
));

$user = $facebook->getUser();
if ($user) {
  print "You've logged in!";
} else {
  echo("<script> top.location.href='" . $facebook->getLoginUrl() . "'</script>");
}

EDIT: headers

Also, try setting this in the first lines of you code:

ini_set('session.use_trans_sid', 1);
header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');

This helped me when the fb session was lost sometimes in an app. Found that in this post: How to properly handle session and access token with Facebook PHP SDK 3.0?

Community
  • 1
  • 1
fredrik
  • 13,282
  • 4
  • 35
  • 52
  • Hi, thank you **SO MUCH**. 2 last thing : 1) Using this solution, I always get the "The state does not match. You may be a victim of CSRF." message. It seems that $_SESSION is always empty. this said, it works anyway. 2) Could you please provide me a piece of code to do display the permissions dialog using the PHP SDK? – thomaus Nov 09 '11 at 09:57
  • glad I could help, I've added how to authenticate using the PHP SDK as well. Don't know why the $_SESSION doesn't work for you. Are you able to set anything in the session? – fredrik Nov 09 '11 at 10:21
1

https://gist.github.com/2765933 has a solution in Sinatra/Ruby that helped me with this issue!

I found it to be the p3p issue, I just wanted to post some sample code for anyone who finds this after me.

rylanb
  • 604
  • 6
  • 15