跨站点请求伪造验证失败。 "州" URL和会话中的参数与错误

时间:2015-12-22 10:14:03

标签: php facebook facebook-graph-api

我使用Facebook PHP-SDK允许用户通过Facebook登录。但是我看到继续得到这个跨站点请求伪造错误,我似乎无法解决。我的应用程序已正确设置,但State和Sesison State键永远不匹配。我创建了一个处理登录的FBlink.class,代码如下:

  error_reporting(E_ALL);
  ini_set('display_errors', 1);

    require_once __DIR__ . '/src/Facebook/autoload.php';
    $fb = new app\src\Facebook\Facebook([
      'app_id' => '*', //(Ive hidden this info)
      'app_secret' => '*',
      'default_graph_version' => '*',
      ]);

    $helper = $fb->getRedirectLoginHelper();
    $permissions = ['email']; // optional

        try {
            if (isset($_SESSION['facebook_access_token'])) {
                $accessToken = $_SESSION['facebook_access_token'];
            } else {
                $accessToken = $helper->getAccessToken();
            }
        } catch(Facebook\Exceptions\FacebookResponseException $e) {
            // When Graph returns an error
            echo 'Graph returned an error: ' . $e->getMessage();
            exit;
        } catch(Facebook\Exceptions\FacebookSDKException $e) {
            // When validation fails or other local issues
            echo 'Facebook SDK returned an error: ' . $e->getMessage();
            exit;
         }
        if (isset($accessToken)) {
            if (isset($_SESSION['facebook_access_token'])) {
                $fb->setDefaultAccessToken($_SESSION['facebook_access_token']);
            } else {
                // getting short-lived access token
                $_SESSION['facebook_access_token'] = (string) $accessToken;
                // OAuth 2.0 client handler
                $oAuth2Client = $fb->getOAuth2Client();
                // Exchanges a short-lived access token for a long-lived one
                $longLivedAccessToken = $oAuth2Client->getLongLivedAccessToken($_SESSION['facebook_access_token']);
                $_SESSION['facebook_access_token'] = (string) $longLivedAccessToken;
                // setting default access token to be used in script
                $fb->setDefaultAccessToken($_SESSION['facebook_access_token']);
            }
            // redirect the user back to the same page if it has "code" GET variable
            if (isset($_GET['code'])) {
                header('Location: ./');
            }
            // getting basic info about user
            try {
                $profile_request = $fb->get('/me?fields=name,first_name,last_name,email');
                $profile = $profile_request->getGraphNode()->asArray();
                print_r($profile);

            } catch(Facebook\Exceptions\FacebookResponseException $e) {
                // When Graph returns an error
                echo 'Graph returned an error: ' . $e->getMessage();
                session_destroy();
                // redirecting user back to app login page
                header("Location: ./");
                exit;
            } catch(Facebook\Exceptions\FacebookSDKException $e) {
                // When validation fails or other local issues
                echo 'Facebook SDK returned an error: ' . $e->getMessage();
                exit;
            }

            // printing $profile array on the screen which holds the basic info about user
            // Now you can redirect to another page and use the access token from $_SESSION['facebook_access_token']
        } else {
            // replace your website URL same as added in the developers.facebook.com/apps e.g. if you used http instead of https and you used non-www version or www version of your website then you must add the same here
            $loginUrl = $helper->getLoginUrl('**', $permissions);
            echo '<a href="' . $loginUrl . '">Log in with Facebook!</a>';
        }

我只是将此文件包含在我的index.php中,以便现在运行。验证CSRF功能如下:

protected function validateCsrf()
    {
        $state = $this->getState();
        $savedState = $this->persistentDataHandler->get('state');
        echo 'STATE: '. $state;
        echo 'SAVED STATE: '. $savedState;

        if (!$state || !$savedState) {
            throw new FacebookSDKException('Cross-site request forgery validation failed. Required param "state" missing.');
        }

        $savedLen = strlen($savedState);
        $givenLen = strlen($state);

        if ($savedLen !== $givenLen) {
            throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.');
        }

        $result = 0;
        for ($i = 0; $i < $savedLen; $i++) {
            $result |= ord($state[$i]) ^ ord($savedState[$i]);
        }

        if ($result !== 0) {
            throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.');
        }
    }

我收到的错误是:

致命错误:未捕获的异常&#39; app \ src \ Facebook \ Exceptions \ FacebookSDKException&#39;消息&#39;跨站点请求伪造验证失败。 &#34;州&#34; URL和会话中的参数不匹配。&#39;在/var/www/html/app/src/Facebook/Helpers/FacebookRedirectLoginHelper.php:263堆栈跟踪:#0 /var/www/html/app/src/Facebook/Helpers/FacebookRedirectLoginHelper.php(225):app \ src \ Facebook \ Helpers \ FacebookRedirectLoginHelper-&gt; validateCsrf()#1 /var/www/html/app/FBlink.php(21):app \ src \ Facebook \ Helpers \ FacebookRedirectLoginHelper-&gt; getAccessToken()#2 / var /www/html/index.php(7):在/ var / www / html / app /中抛出require_once(&#39; / var / www / html / a ...&#39;)#3 {main}第263行的src / Facebook / Helpers / FacebookRedirectLoginHelper.php

有人可以向我指出为什么会发生这种情况吗?如果需要更多代码,我很乐意再添加一些代码。 感谢

0 个答案:

没有答案