I am using the PHP SDK getLoginUrl() function which works perfectly to log the user in. Once the user is redirected back to my page, the URL can come in two forms, see in the following link subsection 3: http://developers.facebook.com/docs/authentication/server-side/
Part of the return URL is a ?state= value. This value is supposed to be used to prevent Cross Site Request Forgery: http://developers.facebook.com/docs/reference/dialogs/oauth/
Though, using the getLoginUrl() method I can never set a state value as it is not one of the parameters: http://developers.facebook.com/docs/reference/php/facebook-getLoginUrl/
So how can I utilize the state-value to log a user into facebook and prevent CSRF?
This is being automatically handled by the Facebook PHP SDK. If you were about to write your own API calls to Facebook, you would need to submit the
statemanually (if desired) as per Facebook’sOAuthdocumentation.When you create a login url with
BaseFacebook::getLoginUrl(), the first thing the function does is to establish CSRF token state1, which creates a hash using PHP’s coremt_rand(),uniqid()andmd5()functions and also stores the value as a session variable.When the user gets redirected back to your page the, FBSDK checks if the submitted
statematches thestatevalue in the session. If the values indeed match, thestateis cleared from theFacebookobject and from the session, so all subsequentgetLoginUrl()requests would get a newstatevariable.2Theoretically you could use your own
statevalue with FBSDK by writing it tofb_<your_app_id>_statesession variable before constructing theFacebook-object, as theBaseFacebook‘s constructor andestablishCSRFTokenState()both check if thestatealready exists in the session.But that would probably introduce more complexity than is necessary.
BaseFacebook::establishCSRFTokenState()BaseFacebook::getCode()