Facebook infinite loop (&state= and &code= params keep refreshing, but only on FIREFOX) PHP

Question

Please debug, this is a PHP page on my site to handle Facebook permissions for an app.

PROBLEM - My user is supposed to:
>> Click on a link on my site ("install link")
>> Get sent to a page: install.php where Facebook authentication is processed
>> then redirected to a landing page: index.php

When a user clicks on the link, it is originally:

http://SITE.COM/install.php?cover=image.jpg&id=001&title=TITLE+HERE

On Firefox, this is what happens instead - the user is redirected to an infinite loop that I can't figure out, and it never ends or stops.
(I've tried it on 3 browsers: Chrome, Firefox and Safari - THIS only happens on FIREFOX)

    http://SITE.COM/install.php?cover=image.jpg&id=001&title=TITLE+HERE&state=df50b9c92366fe3167a561b74b570ab1&code=AQAnWnd4lcDVUhb34F5OTnE4ef9y_H3wqRarcse69ELjf5cWeT_MvAbMkIELaUDeoDCTyyge3FrbLNbhnbInAF0ksk9LREmkOygzXN1WDja_yGdSmZS_z_LfL2JtCfIFZKO72ilIkCUPFy5GmoKyQf_XEEacG1Wxp5jnRD-nJeEdiq8tjVYbK0Q6LpD2r_RIhh2SnFfra_MbZu_rBEOyiHx1#_=_

New parameters are added: &state= and &code=, and these new parameters keep the browser busy by refreshing themselves and generating new variables. It's like a never ending wait.

This is the install.php page that handles the thing:
(Assume that database connection is established & appId and Secret are filled in properly)

  require_once('./facebook.php'); // FACEBOOK LIBRARY
  $config = array(
  'appId' => '#',
  'secret' => '#',
  'fileUpload' => true,
  );

  $facebook = new Facebook($config);
  $user_id = $facebook->getUser();

  define('REDIRECT_URI',"http://SITE.COM/covers/index.php?cover=uploaded&id=".$_GET['id']."&title=".$_GET['title']."");

// GET IMAGE FROM URL
  $img = $_GET['cover'];
  $photo = './covers/'.$img.''; // PATH TO THE PHOTO ON THE LOCAL FILESYSTEM
  $caption = 'I found this Cover at <3 http://SITE.COM';

    if($user_id) {

      try {
        // UPLOAD PHOTO TO USER'S PROFILE
        $ret_obj = $facebook->api('/me/photos', 'POST', array(
                                         'source' => '@' . $photo,
                                         'message' => $caption
                                         )
                                      );


        $login_url = $facebook->getLoginUrl($params = array('redirect_uri' => REDIRECT_URI));
        echo ("<script> top.location.href='".$login_url."'</script>");

      } catch(FacebookApiException $e) {
        $login_url = $facebook->getLoginUrl( array(
                       'scope' => 'email,status_update,publish_stream,photo_upload'
                       )); 
        echo '<script> window.location = "' . $login_url . '"; </script>';
        error_log($e->getType());
        error_log($e->getMessage());
      }   
    $api_call = array(
        'method' => 'users.hasAppPermission',
        'uid' => $user_id,
        'ext_perm' => 'publish_stream'
    );
    $can_post = $facebook->api($api_call);
    if ($can_post) {
    $user = $facebook->api('/me');
    $photolink = 'http://graph.facebook.com/'.$user['id'].'/picture';

            # ACTIVE SESSION, CHECK IF THE USER HAS ALREADY REGISTERED
            $query = mysql_query("SELECT * FROM users WHERE account = 'facebook' AND userId = " . $user['id']);
            $result = mysql_fetch_array($query);


            # IF NOT, ADD USER TO DATABASE
            if (empty($result)) {
                $query = mysql_query("INSERT INTO users (oauth_uid, userId, username, first_name, last_name, email, picture, account) VALUES ('facebook', '{$user['id']}', '{$user['name']}', '{$user['first_name']}', '{$user['last_name']}','{$user['email']}', '".$photolink."', 'facebook')");
                $query = mysql_query("SELECT * FROM users WHERE id = " . mysql_insert_id());
                $result = mysql_fetch_array($query);
            }




        # NOW POST THIS ON USER'S TIMELINE
        $facebook->api('/' . $user_id . '/feed', 'post', array(
            'message' => 'JUST A TEST!',
            'name' => 'APP TESTING',
            'description' => 'THIS IS A TEST',
            'caption' => 'This is just a TEST! Hooray!',
            'picture' => 'http://test.com/test.jpg',
            'link' => 'http://SITE.COM/'
        ));
        echo 'Posted!';
    } else {
        die('Permissions required!');
    }
      echo '<br /><a href="' . $facebook->getLogoutUrl() . '">logout</a>';
    } else {

      // NOT LOGGED IN
      $login_url = $facebook->getLoginUrl( array( 'scope' => 'email,status_update,publish_stream,photo_upload') );
        echo '<script> window.location = "' . $login_url . '"; </script>';

    }

(The script works as expected on Chrome and Safari.)

I'm the only one testing this, so when I say "user" I'm actually just referring to myself. ;o)
My cookies are NOT disabled, so I don't suppose that's it.

Can anyone figure out what's up? Thank you for your time, I appreciate it.

---

If I do not have the app installed on my Facebook, it actually gets to oauth dialog page, with this URL:

https://www.facebook.com/dialog/oauth?client_id=225230310923314&redirect_uri=http%3A%2F%2FWWW.SITE.COM%2Fcovers%2Finstall.php%3Fcover%3D685970AG58759_1338938036.jpg%26id%3D151%26title%3DZoidberg%2Bof%2BFuturama&state=f4bb3c13a2392fe0e24c3dc539e18aae&scope=email%2Cpublish_stream%2Cphoto_upload

then if you proceed, extra permissions are requested at this URL:

https://www.facebook.com/dialog/permissions.request

So at least we know it goes that far...
Now on this page, I'm scared to click "allow" because the inevitable redirection will occur.

But anyway, allooow...

The odd thing is, it redirects to BACK to install.php... Even though it's supposed to head over to index.php now. No wonder it loops! But the thing is, I don't know how to fix that. @_@

Adding 'redirect_uri' => 'INDEX.PHP' makes it stop working on Chrome and Safari (redirects correctly but doesn't post image etc.), and though it fixes the redirection bug in Firefox, just the same it doesn't do any of the actions specified in the script (e.g. posting, uploading, etc.), so instead of just 1 browser messing up, we now have 3.

So that's obviously not the solution.

---

EDIT - After having tried everything, I realize that I'm the only one having this issue, and it works for others. So, YAY!

---

EDIT: SOLUTION - Well, I am updating this to let everyone that I actually did FIND THE PROBLEM which caused the infinite redirect loop.

The cause of this was the fact that the Facebook library was spitting out an error (missing Privacy Policy inside the APP), & everytime this happened it would send the user back to the last page it was on (specifically the install.php page), but because my script sends the user to Facebook, that's why it went to an infinite loop. Facebook would keep sending the user back, while my script would keep sending the user to Facebook.

I solved the problem by commenting out all // throw $e; inside the Facebook library to suppress errors.

The errors were none code-related.

Answer 1

SOLUTION: Well, I am updating this to let everyone know that I actually did FIND THE PROBLEM which caused the infinite redirect loop. (This is also a rather very late update, like years late, but anyway...)

The cause of this was the fact that the Facebook library was spitting out an error (missing Privacy Policy inside the APP / a Facebook requirement for all APPs), and everytime this happened it would send the user back to the last page it was on (specifically the install.php page), but because my script sends the user to Facebook, it just went to an infinite loop.
Facebook would keep sending the user back, while my script would keep sending the user over to Facebook.

I solved the problem by commenting out all throw $e; inside the Facebook library to suppress errors. Since it was just because of a missing Privacy Policy & nothing code-related, it felt OK to do so.

The errors were none code-related.

Answer 2

I was having the same issue. I checked the code several times and all seems to be OK. After doing everything, i check my app ID and secret and realized that (stupid me) the secret in the config array was wrong. After changing the secret the refresh problem disappear. If you are having this issue only in IE try putting header('P3P: CP="CAO PSA OUR"'); at the top of your page.

Answer 3

My cookies are NOT disabled, so I don't suppose that's it.

Don’t suppose – check …!

Cookies set in combination with a redirect can be tricky sometimes. Maybe it’d be better not to rely on the cookie, and implement server-side auth the way it’s supposed to work instead.