Cross-site request forgery validation failed required param state missing from persistent data

Question

I am trying cross domain fb login using graph API.

I am getting error "Facebook SDK returned an error: Cross-site request forgery validation failed. Required param "state" missing from persistent data"

Step 1 Code:

$fb = new \Facebook\Facebook([
              'app_id'                => $this->appId,
              'app_secret'            => $this->appSecret,
              'default_graph_version' => $this->apiVersion,
    ]);

    $permissions = [
                    'email',                        
                    'manage_pages', 
                    'business_management',
                    'ads_management'
                    ];

    $helper    = $fb->getRedirectLoginHelper();
    $loginUrl  = $helper->getLoginUrl($this->redirectUrl.'?back_to='.$customer_website_url, $permissions);

Step 3 Code

$fb = new \Facebook\Facebook([
  'app_id'                => $appId,
  'app_secret'            => $appSecret,
  'default_graph_version' => $graph_api_version,
]);

$helper = $fb->getRedirectLoginHelper();
$accessToken = $helper->getAccessToken();

Everything I have explained in Image so anyone what can be the problem and possible solution?

Answer 1

First check whether your PHP script is encoded with UTF8 or **UTF8 without BOM. Sometimes this causes problem, it may occur because of some other reasons also one of them is SESSION handling. I get this error when I try back and forward button in browser :D

Step 3 will be callback php script shared in Fb APP where Facebook will redirect the user after taking Fb App permissions. If it is different or domain is different you may get this.

You can also set state parameter manually.

Try this

In your step 3 Code, after getting Access Token, convert it to long-lived token, set Access Token in session and check for GET parameter which you're passing based on that redirect to the page

$fb = new \Facebook\Facebook([
  'app_id'                => $appId,
  'app_secret'            => $appSecret,
  'default_graph_version' => $graph_api_version,
]);

$helper = $fb->getRedirectLoginHelper();
$accessToken = $helper->getAccessToken();
$oAuth2Client = $fb->getOAuth2Client();

if (!$accessToken->isLongLived()) {
    // Exchanges a short-lived access token for a long-lived one
    try {
        $accessToken = $oAuth2Client->getLongLivedAccessToken($accessToken);
    } catch (Facebook\Exceptions\FacebookSDKException $e) {
        echo "<p>Error getting long-lived access token: " . $helper->getMessage() . "</p>\n\n";
        exit;
    }
}

// You can also store this access token in database for future use
$_SESSION['fb_access_token'] = (string) $accessToken;

if (isset($_GET['back_to']) and $_GET['back_to'] == '<any_specific_value>') {
    header("Location: <specific page>");
    exit();
} else {
    // User is logged in with a long-lived access token.
    // You can redirect them to a members-only page.
    header("Location: <default page>");
    exit();
}

On <specific page>/<default page>, using fb_access_token from session you can query Facebook Graph/Marketing Api

Once this is done and if you're storing Access Token in database, in Step 1 Code, you can check whether you're already having Access Token of specific user or not.

// Query database for Access token of the user

if (exists) {
    // Fetch access Token and use it
} else {
    $fb = new \Facebook\Facebook([
              'app_id'                => $this->appId,
              'app_secret'            => $this->appSecret,
              'default_graph_version' => $this->apiVersion,
    ]);

    $permissions = [
        'email',                        
        'manage_pages', 
        'business_management',
        'ads_management'
    ];

    $helper    = $fb->getRedirectLoginHelper();
    $loginUrl  = $helper->getLoginUrl($this->redirectUrl.'?back_to='.$customer_website_url, $permissions);
}