Facebook SDK returned an error: Cross-site request forgery validation failed. The "state" param from the URL and session do not match

With Symfony, it doesn't work because the way session are managed.

To resolve the problem you can create a new handler wich work with symfony's session.

FacebookDataHandlerSymfony.php :

<?php

use Facebook\PersistentData\PersistentDataInterface;
use Symfony\Component\HttpFoundation\Session\Session;

class FacebookDataHandlerSymfony implements PersistentDataInterface
{

private $session;

public function __construct()
{
$this->session = new Session();
}

public function get($key)
{
return $this->session->get('FBRLH_' . $key);
}

public function set($key, $value)
{
$this->session->set('FBRLH_' . $key, $value);
}

}

And when you create the FB Object, you have just to specifie the new class :

$this->fb = new Facebook([
'app_id' => '1234',
'app_secret' => '1324',
'default_graph_version' => 'v2.8',
'persistent_data_handler' => new FacebookDataHandlerSymfony()
]);

For me, the problem was that I wasn't running a session before the script.

So, I added `session_start();` before instantiating the `Facebook` class.

In my case i have checked error and found error which lead me to solution with executing code:

date_default_timezone_set('Europe/Istanbul');

before script. Worked like a charm. For your location check: [timezones.europe.php][1]


[1]:

[To see links please register here]

I had the same error, because I forgot to add "www." to the sender address. In the Client-OAuth Settings there has to be the correct name.

This is a common issue that many people facing in FB Api. this is only a SESSION problem. To solve this issue add some code like.


On callback script usually fb-callback.php add "session_start();" just before you include the facebook autoload file. and then "$_SESSION['FBRLH_state']=$_GET['state'];" after the "$helper = $fb->getRedirectLoginHelper();" line.

Example :

<?php
session_start();
include 'vendor/autoload.php';
include 'config.php'; /*Facebook Config*/
$helper = $fb->getRedirectLoginHelper();
$_SESSION['FBRLH_state']=$_GET['state'];
try {
$accessToken = $helper->getAccessToken();
} ?>

Might help someone, who is using **Javascript Helper** in frontend for authenticating the user and in PHP one is trying to to extract **access_token** from **Redirect Login Helper**. So use following

getJavaScriptHelper();
instead of

getRedirectLoginHelper();

The same issue occurred to me on laravel 5.4 i solved this issue by putting

session_start();
at the top of the script.

Below is the sample laravel controller namespace to give you a example how it will work.

<?php
namespace App\Http\Controllers;
session_start();
use Facebook\Facebook as Facebook;
?>

the issue is occurring because is has not yet started so by adding session start at the top of the script we are just starting the session.

hope it may help somebody..

I found that as long as I enabled PHP sessions before generating the login url, and at the top of the script Facebook eventually redirects to, it works just fine on its own without setting a cookie ([as per ale500's answer][1]). This is using the 5.1 version of the sdk.

At the top of both scripts, I added...

if(!session_id()) {
session_start();
}

...and it "just worked".

Here's a barebones complete example that worked for me:

**auth.php**

if (!session_id()) {
session_start();
}

$oFB = new Facebook\Facebook([
'app_id' => FACEBOOK_APP_ID,
'app_secret' => FACEBOOK_APP_SECRET
]);

$oHelper = self::$oFB->getRedirectLoginHelper();
$sURL = $oHelper->getLoginUrl(FACEBOOK_AUTH_CALLBACK, FACEBOOK_PERMISSIONS);

// Redirect or show link to user.



**auth_callback.php**

if (!session_id()) {
session_start();
}

$oFB = new Facebook\Facebook([
'app_id' => FACEBOOK_APP_ID,
'app_secret' => FACEBOOK_APP_SECRET
]);

$oHelper = self::$oFB->getRedirectLoginHelper();
$oAccessToken = $oHelper->getAccessToken();
if ($oAccessToken !== null) {
$oResponse = self::$oFB->get('/me?fields=id,name,email', $oAccessToken);
print_r($oResponse->getGraphUser());
}


## Why?

As an additional note, this is explained in the Docs on the repo. Look at the warning on [this page][2].

> Warning: The FacebookRedirectLoginHelper makes use of sessions to store a CSRF value. You need to make sure you have sessions enabled before invoking the getLoginUrl() method. This is usually done automatically in most web frameworks, but if you're not using a web framework you can add session_start(); to the top of your login.php & login-callback.php scripts. You can overwrite the default session handling - see extensibility points below.

I'm adding this note because it's important to keep in mind should you happen to be running your own session management or if you're running multiple web servers in parallel. In those cases, relying upon php's default session methods won't always work.


[1]:

[To see links please register here]

[2]:

[To see links please register here]

Lots of great answers already mentioned, here is the one which helped for me,

I found that the problem is **Cross-site request forgery validation failed. Required param “state” missing** in FB code and here is the solution


After this line

$helper = $fb->getRedirectLoginHelper();
Add the below code,

if (isset($_GET['state'])) {
$helper->getPersistentDataHandler()->set('state', $_GET['state']);
}

SOLUTION FOR INTERMITTENT PROBLEMS

I was a) redirecting to Facebook login link, b) redirecting from login.php to main.php. Users would travel to main.php and a few other pages, then click back back back in browser.

Eventually, they would hit login.php with a bunch of creds posted to it, but Facebook removes the $_SESSION['FBRLH_state'] after a single success, so even though it had the proper $_GET['state'], it would error out.

The solution is to a) track internally if the user is logged in and avoid the repeat Facebook logic in login.php, OR b) keep track of all recently valid state parameters for that particular user (in a session perhaps) which were set by Facebook and if the $_GET['state'] is in that array, then do this:

$_SESSION['FBRLH_state'] = $_GET['state'];

In this case you can do this safely without breaking CSRF protection.