Facebook SDK returned an error: Cross-site request forgery validation failed. The “state” param from the URL and session do not match

Question

i\'m trying to get Facebook user id using the php sdk like this

$fb = new Facebook\\Facebook([
    \'app_id\' => \'11111111111\',
    \'app_secret\' =>         


        

Answer 1

SOLUTION FOR INTERMITTENT PROBLEMS

I was a) redirecting to Facebook login link, b) redirecting from login.php to main.php. Users would travel to main.php and a few other pages, then click back back back in browser.

Eventually, they would hit login.php with a bunch of creds posted to it, but Facebook removes the $_SESSION['FBRLH_state'] after a single success, so even though it had the proper $_GET['state'], it would error out.

The solution is to a) track internally if the user is logged in and avoid the repeat Facebook logic in login.php, OR b) keep track of all recently valid state parameters for that particular user (in a session perhaps) which were set by Facebook and if the $_GET['state'] is in that array, then do this:

$_SESSION['FBRLH_state'] = $_GET['state'];

In this case you can do this safely without breaking CSRF protection.