Facebook SDK returned an error: Cross-site request forgery validation failed. The "state" param from the URL and session do not match

i'm trying to get Facebook user id using the php sdk like this

$fb = new Facebook\Facebook([
    'app_id' => '11111111111',
    'app_secret' => '1111222211111112222',
    'default_graph_version' => 'v2.4',
]);

$helper = $fb->getRedirectLoginHelper();


$permissions = ['public_profile','email']; // Optional permissions
$loginUrl = $helper->getLoginUrl('http://MyWebSite', $permissions);

echo '<a href="' . $loginUrl . '">Log in with Facebook!</a>';


    try {
        $accessToken = $helper->getAccessToken();
        var_dump($accessToken);
    } catch (Facebook\Exceptions\FacebookResponseException $e) {
        // When Graph returns an error
        echo 'Graph returned an error: ' . $e->getMessage();
        exit;
    } catch (Facebook\Exceptions\FacebookSDKException $e) {
        // When validation fails or other local issues
        echo 'Facebook SDK returned an error: ' . $e->getMessage();
        exit;
    }

    if (!isset($accessToken)) {
        if ($helper->getError()) {
            header('HTTP/1.0 401 Unauthorized');
            echo "Error: " . $helper->getError() . "\n";
            echo "Error Code: " . $helper->getErrorCode() . "\n";
            echo "Error Reason: " . $helper->getErrorReason() . "\n";
            echo "Error Description: " . $helper->getErrorDescription() . "\n";
        } else {
            header('HTTP/1.0 400 Bad Request');
            echo 'Bad request';
        }
        exit;
    }

// Logged in
    echo '<h3>Access Token</h3>';
    var_dump($accessToken->getValue());

// The OAuth 2.0 client handler helps us manage access tokens
    $oAuth2Client = $fb->getOAuth2Client();

// Get the access token metadata from /debug_token
    $tokenMetadata = $oAuth2Client->debugToken($accessToken);
    echo '<h3>Metadata</h3>';
    var_dump($tokenMetadata);

// Validation (these will throw FacebookSDKException's when they fail)
    $tokenMetadata->validateAppId($config['11111111111']);
// If you know the user ID this access token belongs to, you can validate it here
//$tokenMetadata->validateUserId('123');
    $tokenMetadata->validateExpiration();

    if (!$accessToken->isLongLived()) {
        // Exchanges a short-lived access token for a long-lived one
        try {
            $accessToken = $oAuth2Client->getLongLivedAccessToken($accessToken);
        } catch (Facebook\Exceptions\FacebookSDKException $e) {
            echo "<p>Error getting long-lived access token: " . $helper->getMessage() . "</p>\n\n";
            exit;
        }

        echo '<h3>Long-lived</h3>';
        var_dump($accessToken->getValue());
    }

    $_SESSION['fb_access_token'] = (string)$accessToken;

but it give me this error:

Facebook SDK returned an error: 
Cross-site request forgery validation failed. 
The "state" param from the URL and session do not match.

please any help i'm new in php and Facebook sdk's thank for any help in advance.

That's not how to fix this problem. I for example am using azure websites to test some stuff with the FB SDK and I am using the auto generated URL (xxxx.azurewebsites.net) and I get the error, even tough the source and target are the same.

I see how this works, but this just feels so tedious. Surely there must be an alternative rather than taking data from $_SESSION to $_COOKIE and then back to $_SESSION?

This is definitely not the way to go, pass your own implementation of the PersistentDataInterface in the config, see here: developers.facebook.com/docs/php/PersistentDataInterface/5.0‌​.0

Thanks, that helped me in Yii2 case too!

I coded my own library for CodeIgniter too. I use FILE caching.

Such errors was intermittent in my case, which this piece of code fixed it.

where should I add the extra code, in the login.php or callback.php ?

You should add this in nextend-facebook-connect.php file which you will find in plugin folder, if your using wordpress

@JimmyPelton I just added a note to the bottom of my answer that links to the docs and explains why it works

Be aware that such solution breaks CSRF protection. Because protection based on comparison of stored token and received one. Your code force them to match - you overwrite stored with received.

It should be noted that this disables the CSRF protection offered by the SDK.

@EmadOmar any idea why this is? Can you expand on that? Any valid way of fixing this while maintaining protection? EDIT: I see answer by G.Ashok Kumar explains it. Fx32's solution below seems to be best option.

What about for when this happens only intermittently? Is there a fix for that? About 5% of the time this happens.

@PhyllisSutherland I would probably put a check in before your call to the FB methods to make sure the session has been created properly. Maybe your session handler is failing somewhere that you're not seeing?

I prefer this solution, instead of activate sessions using php functions, because I am using a framework

>Be aware that such solution breaks CSRF protection. GREAT ! When facebook guys learn to do it properly I will reinstate it !! In the meantime I am damned disgusted with the waste of time, clearly not my doing.

This helps me. I had to add session_start()

You should NOT DO THIS

@enobrev lol, the session of Schrödinger. not, really, thanks for your answer and your explanation. THIS IS THE WAY YOU MUST DO IT, DO NOT DISABLE CSRF PROTECTION offered by the SDK

Why do check the existence of the session id? I read on the PHP docs: session_start — Start new or resume existing session So what's the purpose? Thanks.

@AdrianoG.V.Esposito because that wasn't always the case. PHP used to throw an error (or at least a notice) when trying to start a session when one was already started. Also, why not? It doesn't hurt to check

your debug is right but there is no solution, only a debug.

> because I am using a framework < See my answer below for how to solve it when you are using a framework without breaking CSRF protection stackoverflow.com/a/38116933/1062129

thanks. It solved to me but I've figured it out after half an hour because I needed to clean the browser cache also!! :)

The reason is that FB would validate CSRF using session between login URL page and callback page.

best answer so far :). btw/ here is the code for CI4 (pls put it in Libraries) <?php use Facebook\PersistentData\PersistentDataInterface; class FacebookPersistentDataInterface implements PersistentDataInterface { /** * @ var string Prefix to use for session variables. / protected $sessionPrefix = 'FBRLH_'; /* * @ inheritdoc / public function get($key) { return session()->get($this->sessionPrefix . $key); } /* * @ inheritdoc */ public function set($key, $value) { session()->set($this->sessionPrefix . $key, $value); } }

dude you are amazing! thanks for saving me a lot of effing time!

To be more precise, the session has to be started before new Facebook.