CSRF state token does not match one provided FB PHP SDK 3.1.1 Oauth 2.0

Question

My server logs show a \"CSRF state token does not match one provided\" error which seems to happen for almost every user. However, the users are created and/or authenticated

Answer 1

To add a bit to chesles's answer, this problem can occur if you're playing with the session_start() - session_write_close() functions, as I did.

If there is no started session when you're requesting the loginUrl, you'll get this error.

Sidenote: Why bother stopping the session?

Scripts that use sessions stops each other, because they're waiting for the session array to be available to use.

Imagine that you have a popular application, with thousands of users, and have an action (a php script) where you post a picture. Something like this:

--starting session at the top of the script

--connecting to facebook

--creating the image

--sharing the image with the api call

--script end, session closes automatically

Doing this, the session will be used by the script for a long time for no reason. Be careful with such scripts, use something like this instead:

--starting session right before where you create the facebook object

--connecting to facebook

--closing session with session_write_close(), the session array's available, other scripts can load

--creating the image

--sharing the image with the api call /* It think this doesn't need a session. */

--script end, session already closed manually.

Cheers.