]
07-27-2023, 12:36 AM
This might be kinda late but I hope it helps others since this problem still persists.
I had this problem for a while and I've searched around and have seen a lot of different solutions, many of which disable the CSRF check. So after everything I've read, this is what worked for me.
For what I understand, you get this error when your redirect URL doesn't match the one you have setup on your app settings so my issue was fixed every easily but I have also seen people have issues by not having their session started properly, so I will cover both issues.
**Step 1: Ensure your session has started when it needs to.**
**for example: fb-config.php**
session_start();
include_once 'path/to/Facebook/autoload.php';
$fb = new \Facebook\Facebook([
'app_id' => 'your_app_id',
'app_secret' => 'your_secret_app_id',
'default_graph_version' => 'v2.10'
]);
$helper = $fb->getRedirectLoginHelper();
if your facebook callback code is on another file aside from the config, then start the session on that file too.
**for example: fb-callback.php**
session_start();
include_once 'path/to/fb-config.php';
try {
$accessToken = $helper->getAccessToken();
} catch (\Facebook\Exceptions\FacebookResponseException $e) {
echo "Response Exception: " . $e->getMessage();
exit();
} catch (\Facebook\Exceptions\FacebookSDKException $e) {
echo "SDK Exception: " . $e->getMessage();
exit();
}
/** THE REST OF YOUR CALLBACK CODE **/
Now, what solved my actual issue.
**Step 3: Set up your redirect URL in your app settings.**
In your Facebook Login app settings, go to the **Valid OAuth redirect URIs** where you should have added the url that points to your fb-callback.php file.
AND ALSO
then setup your redirect url as follows.
$redirectURL = "http://".$_SERVER['SERVER_NAME']."/fb-callback.php";
$permissions = ['email'];
$fLoginURL = $helper->getLoginUrl($redirectURL, $permissions);
Why both with and without www and why use SERVER_NAME?
because your **Valid OAuth redirect URI** needs to match your redirect url in your code and if in you app settings you only set your OAuth redirect as
My approach makes it so if the user enters your site as
This are my findings and this is about the only thing that worked for me without removing the CSRF check and so far, no issues.
I hope this helps.
I had this problem for a while and I've searched around and have seen a lot of different solutions, many of which disable the CSRF check. So after everything I've read, this is what worked for me.
For what I understand, you get this error when your redirect URL doesn't match the one you have setup on your app settings so my issue was fixed every easily but I have also seen people have issues by not having their session started properly, so I will cover both issues.
**Step 1: Ensure your session has started when it needs to.**
**for example: fb-config.php**
session_start();
include_once 'path/to/Facebook/autoload.php';
$fb = new \Facebook\Facebook([
'app_id' => 'your_app_id',
'app_secret' => 'your_secret_app_id',
'default_graph_version' => 'v2.10'
]);
$helper = $fb->getRedirectLoginHelper();
if your facebook callback code is on another file aside from the config, then start the session on that file too.
**for example: fb-callback.php**
session_start();
include_once 'path/to/fb-config.php';
try {
$accessToken = $helper->getAccessToken();
} catch (\Facebook\Exceptions\FacebookResponseException $e) {
echo "Response Exception: " . $e->getMessage();
exit();
} catch (\Facebook\Exceptions\FacebookSDKException $e) {
echo "SDK Exception: " . $e->getMessage();
exit();
}
/** THE REST OF YOUR CALLBACK CODE **/
Now, what solved my actual issue.
**Step 3: Set up your redirect URL in your app settings.**
In your Facebook Login app settings, go to the **Valid OAuth redirect URIs** where you should have added the url that points to your fb-callback.php file.
[To see links please register here]
AND ALSO
[To see links please register here]
then setup your redirect url as follows.
$redirectURL = "http://".$_SERVER['SERVER_NAME']."/fb-callback.php";
$permissions = ['email'];
$fLoginURL = $helper->getLoginUrl($redirectURL, $permissions);
Why both with and without www and why use SERVER_NAME?
because your **Valid OAuth redirect URI** needs to match your redirect url in your code and if in you app settings you only set your OAuth redirect as
[To see links please register here]
and set up your $redirectURL as[To see links please register here]
to make it match but the user entered your site as[To see links please register here]
then the user will get the **Facebook SDK error: Cross-site request forgery validation failed. Required param “state” missing from persistent data** because the URL the user is at, doesn't EXACTLY match what you have setup. Why? I have no freaking idea.My approach makes it so if the user enters your site as
[To see links please register here]
or[To see links please register here]
, it will always match what you setup in your app settings. why? because $_SERVER['SERVER_NAME'] will return the domain with or without the www depending on how the user entered the url in the browser.This are my findings and this is about the only thing that worked for me without removing the CSRF check and so far, no issues.
I hope this helps.