This problem occures also in case that you generate 2 or more login links on the same page (e.g. one for login and other for registration - even both point to the same url, they have just different labels).

Facebook SDK creates/updates $_SESSION[FBRLH_state] for each new generated loginURL. So if there are 2 generated URLs (using $helper->getLoginUrl()) then the $_SESSION[FBRLH_state] is 2-times rewritten and valid only for the last generated URL. Previous login URL becomes invalid. It means that it is not possible to generate 2 valid loginURLs. In case that 2 same URLs are generated then return the first one and avoid call of Facebook SDK for generation of second one.

There could be 2 reason for this error:

1. you didn't call session_start(); before getLoginUrl call
2. You executed getLoginUrl again in login-callback.php, so state value regenerated and mismatched with the redirected value

This issue was a bit confusing for me, because I had to change a line at the facebook src file:

src/Facebook/Helpers/FacebookRedirectLoginHelper.php

at the function: "validateCsrf" like this:

if ($result !== 0) {
        throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.');
    }

And change it into:

if ($result === 0) {
        throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.');
    }

I don't know if this makes a violation to the facebook SDK security, so I truly opened to any exlanation or recommendation for this answer.

You may also make the following changes at the facebook app manager:

add your site and callback-url into your facebook app account at:

setting->advanced:Valid OAuth redirect URIs

Don't forget to add another url with slash (/) at the end of each url and check all 4 checkboxes at Client OAuth Settings.

I had the same error. Are you using 1 file or 2? I was trying to get by using 1 file but my error was resolved when I split into login.php & fb-callback.php as the documentation recommended. My sessions were being re-written so the state was never saved properly.

Good luck!

Possible Fixes : I used the following configuration settings .

Enable WebAuthLogin under the advanced tab . Provide the url in the WebAuthLogin settins as same as that you provide in $loginUrl ;

For example if you use $loginUrl as https://example.com/ use that same in the WebAuthlogin Url $loginUrl = $helper->getLoginUrl('https://example.com/', $permissions);

I had the same problem.

The reason for this error is because --->

When "$helper->getLoginUrl" calls, it create a session variable "FB_State", and this is something to FB uses to match the token. Every-time getLoginUrl calls, it create new state. Then after user authorized and redirect back, if you codes cannot detect this event and re-run "$helper->getLoginUrl", then this error will occur.

The solution ->

1. refine your coding, stop run "$helper->getLoginUrl" again if authorized.

2. if you already rerun, then set the session variable for the token to NULL if you have, then User can re-authorize again.

3. when user tries re-authorize, they can remove the authorized APP once or you need to generate new link with "$helper->getReRequestUrl"

Yet, token has be called by "getAccessToken()" before the "$helper->getLoginUrl" or "$helper->getReRequestUrl" runs.

Good Luck!!!!!