Cross-site request forgery validation failed. Required param "state" missing Laravel Sammyk/Facebook package
Solution 1
Finally, looking into FB code, I discovered that the problem "Cross-site request forgery validation failed. Required param “state” missing" and similars are caused by PHP variable $_SESSION['FBRLH_state'] that for some "strange" reason when FB call the login-callback file.
To solve it I store this variable "FBRLH_state" AFTER the call of function $helper->getLoginUrl(...). Is very important to do only after the call of this function due to is inside this function when the variable $_SESSION['FBRLH_state'] is populated.
Below an example of my code in the login.php:
$uri=$helper->getLoginUrl($uri, $permissions);
foreach ($_SESSION as $k=>$v) {
if(strpos($k, "FBRLH_")!==FALSE) {
if(!setcookie($k, $v)) {
//what??
} else {
$_COOKIE[$k]=$v;
}
}
}
var_dump($_COOKIE);
And in the login-callback.php before calling all FB code:
foreach ($_COOKIE as $k=>$v) {
if(strpos($k, "FBRLH_")!==FALSE) {
$_SESSION[$k]=$v;
}
}
Last, but not least, remember also to include code for PHP session so..
if(!session_id()) {
session_start();
}
...
...
...
...
<?php session_write_close() ?>
I hope this response can help you to save 8-10 hours of work :) Bye, Alex.
Solution 2
For those who are using Code Igniter , you will have to autoload the session library.
Change your application/config/autoload.php , libraries must include 'session':
$autoload['libraries'] = array('session');
KillABug
Updated on June 06, 2022Comments
-
KillABug almost 2 years
I am working with the SammyK/Facebook package and facing an issue with facebook login over CSRF. Earlier it worked fine,but later I had to disable the CSRF protection in my kernel.php for smooth working of API. Now I have it updated and added the below lines in the middleware
public function handle($request, Closure $next) { $skip = array( 'api/v1/signup', 'api/v1/login', 'api/v1/addContacts', 'api/v1/email' ); foreach ($skip as $key => $route) { //skip csrf check on route if($request->is($route)){ return parent::addCookieToResponse($request, $next($request)); } } return parent::handle($request, $next); }
So this allows web and api to work as expected,but since I had disabled the csrf I get the Cross-site request forgery validation failed. Required param "state" missing error when I do a FB login. I tried to debug and found in the FacebookRedirectLoginHelper the function
validateCsrf()
does not get the savedstate$savedState = $this->persistentDataHandler->get('state');
I am not sure how to resolve this as ideally it should work now.I tried printing both the $state and $savedState and I get $savedState as null.class FacebookController extends Controller { public function fbConnect(LaravelFacebookSdk $fb) { // Obtain an access token. try { $token = $fb ->getRedirectLoginHelper() ->getAccessToken(); } catch (Facebook\Exceptions\FacebookSDKException $e) { dd($e->getMessage()); } // Access token will be null if the user denied the request // or if someone just hit this URL outside of the OAuth flow. if (! $token) { // Get the redirect helper $helper = $fb->getRedirectLoginHelper(); if (! $helper->getError()) { abort(403, 'Unauthorized action.'); } // User denied the request dd( $helper->getError(), $helper->getErrorCode(), $helper->getErrorReason(), $helper->getErrorDescription() ); }
-
code-8 over 8 yearsI tried that, and still facing the same error "Cross-site request forgery validation failed. Required param "state" missing."