How did the ‘state’ come into GET at facebook auth at http://developers.facebook.com/docs/authentication/ ? At

Question

0

Asked: May 28, 20262026-05-28T18:13:59+00:00 2026-05-28T18:13:59+00:00

How did the ‘state’ come into GET at facebook auth at http://developers.facebook.com/docs/authentication/ ? At

0

How did the ‘state’ come into GET at facebook auth at http://developers.facebook.com/docs/authentication/? At the code that comes after the “The following PHP example demonstrates the server-side flow with CSRF protection in one self-contained example:”, line if($_REQUEST['state'] == $_SESSION['state']) { . I don’t understand how come that part of the session is transmitted somewhere else.

See related questions: Will the auth work without state at the SESSION?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-28T18:14:00+00:00

Editorial Team

2026-05-28T18:14:00+00:00Added an answer on May 28, 2026 at 6:14 pm

The state came into the Get via this code:

 $_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
 $dialog_url = "http://www.facebook.com/dialog/oauth?client_id=" 
   . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
   . $_SESSION['state'];

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

How did the ‘state’ come into GET at facebook auth at http://developers.facebook.com/docs/authentication/ ? At

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply