Home/ Questions/Q 6694299
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T06:05:09+00:00

I’m using facebook connect on my site and it works fine except for one

  • 0

I’m using facebook connect on my site and it works fine except for one small (but annoying) detail. Whenever a user logs in, they return to the original url they were at before except there is an extra piece added to the end of the url. For example, if the page was at http://www.domain.com, after logging in through facebook, the new url would be something like this:

www.domain.com/?state=407abe669787e4a97dc80c93d7ba5eae&code=AQDu0Vjf1hvo7N-TPmdsBygQCIxs7LfEfNMlf1aKNiyOeuAtDbIo-zTzWqWF7yv_Jsp4YOfkjQHqx17zsiCPYKxLyeL3BMdNr0HFnEu7Q50Hc2Ca92VfiDl9VWQJUDRYwjPDkpyZPJHOIkInaRA9xTivtuUtb5VCUGNvHSU7hRgb3muK-EKJ1p5iEnRjN1y7_Y8#_=_

I’m using the newest facebook PHP SDK (version 3.1.1 as of now) and I’m getting the login url just like in the example shown here: https://developers.facebook.com/docs/reference/php/facebook-getLoginUrl/ by calling 

$facebook->getLoginUrl(array('scope' => 'email', 'display' => 'touch'));

The url that it creates looks correct, something like this:

https://www.facebook.com/dialog/oauth?client_id=124847107591285&redirect_uri=http%3A%2F%2Fdomain.com&state=407abe669787e4a97dc80c93d7ba5eae&scope=email&display=touch

I would like it so that the url the user returns to post-login is exactly as it was, without the extra state and code values. I haven’t seen anything about this mentioned in the docs and this is really bugging me.

I’m wondering if anyone else has come across this, and if so, if there is a solution for it.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Perhaps you didn’t look at the right docs page, but it says very clearly at https://developers.facebook.com/docs/authentication/ what is the purpose of those two parameters:

    If the user presses Allow, your app is authorized. The OAuth Dialog
    will redirect (via HTTP 302) the user’s browser to the URL you passed
    in the redirect_uri parameter with an authorization code:

    http://YOUR_URL?code=A_CODE_GENERATED_BY_SERVER

    With this code in hand, you can proceed to the next step, app
    authentication, to gain the access token you need to make API calls.

    As for the state parameter, this one is very important in preventing CSRF attacks.

    Cross site request forgery is an attack in which a trusted
    (authenticated and authorized) user unknowingly performs an action on
    website. To prevent this attack, you should pass an identifier in the
    state parameter, and then validate the state parameter matches on the
    response. We strongly recommend that any app implementing Facebook
    user login implement CSRF protection using this mechanism.

    To summarize, those parameters are important and are there for you to use it if you want to (and you should).

    If for any reason you don’t want your users to see that url you can do a check if they are set in your GET superglobal and if they are, redirect the user at the page you want, without those params beeing present.

    • 0