Nilsen Nilsen - 2 months ago 29
PHP Question

Facebook login error in mobile browser

I'm using API Facebook to login on my website but.. login from desktop browser works fine, login from mobile browser return an error.

The error message from mobile browser is:

Facebook SDK returned an error: Cross-site request forgery validation failed. Required param "state" missing from persistent data.


In login page I used this code to generate the link to facebook
(I'm using the Facebook PHP SDK)

login

if(!session_id()) {
session_start();
}
$fb = new Facebook\Facebook([
'app_id' => APP_ID,
'app_secret' => APP_SECRET,
'default_graph_version' => 'v2.2'
]);

$helper = $fb->getRedirectLoginHelper();

$permissions = ['email']; // Optional permissions
$loginUrl = $helper->getLoginUrl(SERVER_CALLBACK, $permissions);

$facebook = htmlspecialchars($loginUrl);


This is the callback

callback

if(!session_id()) {
session_start();
}
$fb = new Facebook\Facebook([
'app_id' => APP_ID,
'app_secret' => APP_SECRET,
'default_graph_version' => 'v2.2',
'persistent_data_handler'=>'session'
]);

$helper = $fb->getRedirectLoginHelper();

try {
$accessToken = $helper->getAccessToken();
} catch(Facebook\Exceptions\FacebookResponseException $e) {
// When Graph returns an error
echo 'Graph returned an error: ' . $e->getMessage();
exit;
} catch(Facebook\Exceptions\FacebookSDKException $e) {
// When validation fails or other local issues
echo 'Facebook SDK returned an error: ' . $e->getMessage();
exit;
}

if (! isset($accessToken)) {
if ($helper->getError()) {
header('HTTP/1.0 401 Unauthorized');
echo "Error: " . $helper->getError() . "\n";
echo "Error Code: " . $helper->getErrorCode() . "\n";
echo "Error Reason: " . $helper->getErrorReason() . "\n";
echo "Error Description: " . $helper->getErrorDescription() . "\n";
} else {
header('HTTP/1.0 400 Bad Request');
echo 'Bad request';
}
exit;
}

// Logged in

// The OAuth 2.0 client handler helps us manage access tokens
$oAuth2Client = $fb->getOAuth2Client();

// Get the access token metadata from /debug_token
$tokenMetadata = $oAuth2Client->debugToken($accessToken);

// Validation (these will throw FacebookSDKException's when they fail)
$tokenMetadata->validateAppId(APP_ID);
// If you know the user ID this access token belongs to, you can validate it here
$tokenMetadata->validateExpiration();

if (! $accessToken->isLongLived()) {
// Exchanges a short-lived access token for a long-lived one
try {
$accessToken = $oAuth2Client->getLongLivedAccessToken($accessToken);
} catch (Facebook\Exceptions\FacebookSDKException $e) {
echo "<p>Error getting long-lived access token: " . $helper->getMessage() . "</p>\n\n";
exit;
}
}


I'm wonder because everything is working in desktop navigation, but using a mobile browser something is going wrong.

Answer

The problem was during the generation of session.

Here the wrong code:

if (ini_set('session.use_only_cookies', 1) === FALSE) exit();
// Forces sessions to only use cookies.
ini_set( 'session.cookie_httponly', 1 );
// This stops JavaScript being able to access the session id.
// Activate if you use a HTTPS connection
ini_set( 'session.cookie_secure', 0 );
// Sets the session name to the one set above.
session_name(NAME_SESSION);
session_set_cookie_params(3600 * 12);
session_start();
session_regenerate_id(TRUE); // <- This is the error

Because the function session_regenerate_id does not handle unstable network well. e.g. Mobile and WiFi network. Therefore, you may experience lost session by calling session_regenerate_id. Here the solution

Comments