Geek Answers Handbook

Failed to check forgery based on cross-request. Required parameter "state" missing Laravel Sammyk / Facebook package

I am working with the SammyK / Facebook package and am facing the problem of logging into facebook via CSRF. Previously, it worked fine, but later I had to disable CSRF protection in my kernel.php for smooth operation of the API. Now I updated it and added the following lines in the middleware.

public function handle($request, Closure $next) { $skip = array( 'api/v1/signup', 'api/v1/login', 'api/v1/addContacts', 'api/v1/email' ); foreach ($skip as $key => $route) { //skip csrf check on route if($request->is($route)){ return parent::addCookieToResponse($request, $next($request)); } } return parent::handle($request, $next); }

Thus, this allows the web and api to work as expected, but since I turned off csrf, I got a check to fake a request for a cross-site site. The prerequisite "state" is missing when I do FB login. I tried to debug and find on FacebookRedirectLoginHelper, the validateCsrf() function does not get the saved state $savedState = $this->persistentDataHandler->get('state');
I am not sure how to solve this, as ideally it should work. I tried printing both $ state and $ savedState, and I got $ savedState as null.

  class FacebookController extends Controller { public function fbConnect(LaravelFacebookSdk $fb) { // Obtain an access token. try { $token = $fb ->getRedirectLoginHelper() ->getAccessToken(); } catch (Facebook\Exceptions\FacebookSDKException $e) { dd($e->getMessage()); } // Access token will be null if the user denied the request // or if someone just hit this URL outside of the OAuth flow. if (! $token) { // Get the redirect helper $helper = $fb->getRedirectLoginHelper(); if (! $helper->getError()) { abort(403, 'Unauthorized action.'); } // User denied the request dd( $helper->getError(), $helper->getErrorCode(), $helper->getErrorReason(), $helper->getErrorDescription() ); }
+5
source share
3 answers

Finally, looking at the FB code, I found that the problem "Cross-site request forgery check failed. The required state of the parameter is" absent "and similar data is caused by the PHP variable $ _SESSION ['FBRLH_state'], which is for some" strange "reason when FB calls the login callback file.

To solve this problem, I save this variable "FBRLH_state" AFTER calling the $ helper-> getLoginUrl (...) function. It is very important to do this only after calling this function because the variable $ _SESSION ['FBRLH_state'] is inside this function.

Below is an example of my code in login.php:

 $uri=$helper->getLoginUrl($uri, $permissions); foreach ($_SESSION as $k=>$v) { if(strpos($k, "FBRLH_")!==FALSE) { if(!setcookie($k, $v)) { //what?? } else { $_COOKIE[$k]=$v; } } } var_dump($_COOKIE);

And in login-callback.php before calling all the FB code:

 foreach ($_COOKIE as $k=>$v) { if(strpos($k, "FBRLH_")!==FALSE) { $_SESSION[$k]=$v; } }

Last but not least, remember also to include code for your PHP session, therefore ..

 if(!session_id()) { session_start(); } ... ... ... ... <?php session_write_close() ?>

I hope this answer helps you save 8-10 hours of work :) Bye, Alex.

+6
source

For those using Code Igniter, you will have to autoload the session library.

Modify your application /config/autoload.php, libraries should include a "session":

 $autoload['libraries'] = array('session');
+1
source

I had a headache, then I found a simple way to fix it.

find config / session.php and change

'expire_on_close' => false,

to

'expire_on_close' => true,

0
source

More articles:


All Articles