Home/ Questions/Q 8048273
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T06:22:51+00:00

I am trying to login on my website using Facebook Authentication and it works

  • 0

I am trying to login on my website using Facebook Authentication and it works fine . How ever when i access the Application by using https://apps.facebook.com/myApp then i get an error

The state does not match. You may be a victim of CSRF

Here is the code that i am using from facebook , I think there is a problem in

$my_url

 <?php 

   $app_id = "YOUR_APP_ID";
   $app_secret = "YOUR_APP_SECRET";
   $my_url = "https://www.example.com/login.php";

   session_start();
   $code = $_REQUEST["code"];

   if(empty($code)) {
     $_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
     $dialog_url = "https://www.facebook.com/dialog/oauth?client_id=" 
       . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
       . $_SESSION['state'];

     echo("<script> top.location.href='" . $dialog_url . "'</script>");
   }

   if($_REQUEST['state'] == $_SESSION['state']) {
     $token_url = "https://graph.facebook.com/oauth/access_token?"
       . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
       . "&client_secret=" . $app_secret . "&code=" . $code;

     $response = file_get_contents($token_url);
     $params = null;
     parse_str($response, $params);

     $graph_url = "https://graph.facebook.com/me?access_token=" 
       . $params['access_token'];

     $user = json_decode(file_get_contents($graph_url));
     echo("Hello " . $user->name);
   }
   else {
     echo("The state does not match. You may be a victim of CSRF.");
   }

 ?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You really should cheek out the SDK that facebook provides for FTP. Then you don’t need to recreate any of the graph calls as it’s all handled for you.

    But there are two issues:

    1. You need to encode the entire return URL in the login call i.e.

      &redirect_uri=” . urlencode($my_url . “&state=” . $_SESSION[‘state’]);

    2. If you want to pass data into an iFrame, you need to send it in a parameter called “app_data” – all other parameters will get removed. This app_data gets sent in the “signed request” so you need to decode the signed_request. Details http://developers.facebook.com/docs/authentication/signed_request/ (Again, use the facebook SDK as it makes handling the signed request easy!).

    • 0