so posted previous question before this, deleted because i've discovered problem.
basically, getting error:
facebook sdk returned error: cross-site request forgery validation failed. "state" param url , session not match.
i able pinpoint bizarre reason, $_session['fbrlh_state'] changing. here login.php generates login url user:
session_start(); } require_once $_server['document_root'] . '/src/facebook/autoload.php'; $fb = new facebook\facebook ([ 'app_id' => '??????', 'app_secret' => '????', 'default_graph_version' => 'v2.4' ]); $helper = $fb->getredirectloginhelper(); $loginurl = $helper->getloginurl('http://example.ca/login-callback.php'); echo '<a href="' . $loginurl . '">login</a>'; print_r($_session); when print_r($_session);, this:
array ( [fbrlh_state] => d116b427b433a0b3dc41a858782cd690 ) however (get ready magic), upon redirection login-callback.php file, array of $_session mysteriously changes this:
array ( [fbrlh_state] => e99c4ece0f8e48ab53dea6a4826c5593 ) here code login-callback.php
<?php header("content-type: text/html;charset=utf-8"); session_start(); print_r($_session); require_once $_server['document_root'] . '/src/facebook/autoload.php'; require_once $_server['document_root'] . '/includes/database.php'; require_once $_server['document_root'] . '/includes/user.php'; require_once $_server['document_root'] . '/vars/constants.php'; //create facebook service $fb = new facebook\facebook ([ 'app_id' => '????', 'app_secret' => '????', 'default_graph_version' => 'v2.4' ]); $helper = $fb->getredirectloginhelper(); try { $accesstoken = $helper->getaccesstoken(); } catch(facebook\exceptions\facebookresponseexception $e) { // when graph returns error echo 'graph returned error: ' . $e->getmessage(); exit; } catch(facebook\exceptions\facebooksdkexception $e) { // when validation fails or other local issues echo 'facebook sdk returned error: ' . $e->getmessage(); exit; } if (isset($accesstoken)) { $mysqli = database::connection(); // logged in! $_session['facebook_access_token'] = (string) $accesstoken; when print $_session (the first thing right after headers), different value login.php one. makes no sense because they're both on same domain (non-www) , have same document.cookie phpsessid
but, there's catch. if press on login-callback.php (since login.php redirects it, , login fails due weird session magic), $_session values mysteriously match. doesn't work if refresh, when press back. think important clue what's going on have no idea.
can please me on extremely frustrating issue? idea of might going on?
edit: also, created blank file
session_start(); print_r($_session); and values always match login-callback.php means login.php must changing session values (but.... can't figure out how since when print_r($_session); @ bottom of file still same weird values)
weirdest solution, problem solved when removed </head> (basically let <head> unclosed)
Comments
Post a Comment