Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Facebook PHP SDK - getLoginUrl() - state value

Tags:

facebook

state

csrf

facebook-php-sdk

I am using the PHP SDK getLoginUrl() function which works perfectly to log the user in. Once the user is redirected back to my page, the URL can come in two forms, see in the following link subsection 3: http://developers.facebook.com/docs/authentication/server-side/

Part of the return URL is a ?state= value. This value is supposed to be used to prevent Cross Site Request Forgery: http://developers.facebook.com/docs/reference/dialogs/oauth/

Though, using the getLoginUrl() method I can never set a state value as it is not one of the parameters: http://developers.facebook.com/docs/reference/php/facebook-getLoginUrl/

So how can I utilize the state-value to log a user into facebook and prevent CSRF?

like image 772
Aventuris Avatar asked Apr 27 '12 22:04

Aventuris

1 Answers

So how can I utilize the state-value to log a user into facebook and prevent CSRF?

This is being automatically handled by the Facebook PHP SDK. If you were about to write your own API calls to Facebook, you would need to submit the state manually (if desired) as per Facebook's OAuth documentation.

When you create a login url with BaseFacebook::getLoginUrl(), the first thing the function does is to establish CSRF token state1, which creates a hash using PHP's core mt_rand(), uniqid() and md5() functions and also stores the value as a session variable.

When the user gets redirected back to your page the, FBSDK checks if the submitted state matches the state value in the session. If the values indeed match, the state is cleared from the Facebook object and from the session, so all subsequent getLoginUrl() requests would get a new state variable.2

Theoretically you could use your own state value with FBSDK by writing it to fb_<your_app_id>_state session variable before constructing the Facebook-object, as the BaseFacebook's constructor and establishCSRFTokenState() both check if the state already exists in the session.

But that would probably introduce more complexity than is necessary.

 

  1. see BaseFacebook::establishCSRFTokenState()
  2. see BaseFacebook::getCode()
like image 166
Jari Keinänen Avatar answered Oct 21 '22 04:10

Jari Keinänen
Sign in to Comment

Related questions

Are there alternatives to Facebook's Graph API deprecated User fields "locale" and "timezone"?
What encoding Facebook uses in JSON files from data export?
A Facebook Chat Bot now possible with XMPP?
Retrieving Facebook-like link summaries (title, summary, relevant images) using Python
Post WP7 Game Achievements from XNA to Facebook
Scrape Facebook in Python
Is it possible to LIKE a Facebook Page via the API?
Android WebView with Facebook Login
Android post to facebook wall, stream.publish broken since few days
Installing the phonegap facebook plugin
Like Box for Group
How to Handle Facebook Application Requests?
How do I get an access token from the Facebook signed request?
How to get music listening data from Facebook/Spotify?
Facebook apps (iframes) and third party cookies
how to use Action_view intent to post on facebook wall?
Have Facebook dropped support for Python?
video post on timeline not playing inline
"Either this application has not configured its Mobile Web URL or the URL could not be verified as owned by the application" error
Locale=nl_BE (Dutch Belgium) no longer supported (in iframe like button)?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!