CSRF state token does not match one provided FB PH

2020-01-28 05:30发布

站内问答 / 后端开发
477 9 6

My server logs show a "CSRF state token does not match one provided" error which seems to happen for almost every user. However, the users are created and/or authenticated and I am able to retrieve the user info. I am using a Linux server with Apache. I am also using the latest Facebook PHP SDK v.3.1.1 Can anyone tell me why this is happening and how to fix it?

9条回答
Summer. ? 凉城
2楼-- · 2020-01-28 06:09

I had the same problem in my local machine and the problem turned out to be that my hosts file was blocking communication with Verisign, so the URL Facebook tries to communicate with (http://crl.verisign.com/pca3.crl) never worked (state: 404).

Commenting out the various Verisign IP addresses from my hosts file did the trick!

查看更多
0人赞 添加讨论(0) 举报
疯言疯语
3楼-- · 2020-01-28 06:09

CSRF state and code are checked using local sessions, I bet you need to check your session.save_handler in your php.ini, and if it was working properly.

查看更多
0人赞 添加讨论(0) 举报
孤傲高冷的网名
4楼-- · 2020-01-28 06:22

if you use .htaccess mod rewrite redirects on your page, use the [QSA] (Query String Append) at the end of the lines to preserve the GET variables, or else you lost the $code variable, which is required to the facebook login

查看更多
0人赞 添加讨论(0) 举报
迷人小祖宗
5楼-- · 2020-01-28 06:24

I had a similar issue last week, and tracked it down to the state field being overwritten by multiple calls to getLoginUrl(). Each time you call getLoginUrl(), a new state token is generated in the SDK and stored in the $_SESSION (it's just a random value), so if you call it twice and the user uses the first link to log in, the second call will have reset the SDK's internal state token, and you will get this error in your logs.

The SDK looks for the same state token in the URL coming back after Facebook authorizes the user and redirects them back to your site, and if it doesn't match it will log this error (here's a link to the source).

查看更多
0人赞 添加讨论(0) 举报
何必那么认真
6楼-- · 2020-01-28 06:24

Facebook SDK code has a bug when checking against tokens twice in the same handler.

I edited the getCode function of facebook.php like this: 

protected function getCode() {
    if (!isset($_REQUEST['code']) || !isset($_REQUEST['state']) || $this->state === null) {
      return false;
    }
    if ($this->state === $_REQUEST['state']) {
        // CSRF state has done its job, so clear it
        $this->state = null;
        $this->clearPersistentData('state');
        return $_REQUEST['code'];
    }
    self::errorLog('CSRF state token does not match one provided.');

    return false;
}

to be more clear and does not state invalid token if called twice.

To be clear the function can be called twice on the same url handler if eg:

$facebook->getUser(); and then in the same handler $facebook->getLogoutUrl() then the getCode() is called twice thus resulting into and invalid error message

查看更多
0人赞 添加讨论(0) 举报
何必那么认真
7楼-- · 2020-01-28 06:24

I had the same issue. It´s easy. Don´t call 

$fbLoginUrl = $facebook->getLoginUrl(...);

before 

$fbUser = $facebook->getUser();

otherwise you will get "CSRF state token does not match one provided" error.

查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)