我确实意识到这个问题已经存在 2 个月了,但我在使用 Heroku 代码时遇到了类似的问题。我还没有完全调试它,但我注意到
的输出
session_id();
刷新后 IE 中的变化,但在 Chrome 中保持不变,表明会话在 IE 中丢失。显然,会话的状态在 IE 中是空白的,当它在 Chrome 下正常工作时,您会收到 CSRF 错误。
如果有人能对此有所了解,我将不胜感激。我会不断更新这个答案,因为我会更多地了解具体是什么导致了 IE 中的问题以及如何解决它。
[编辑]呃。这是一个cookie问题。我的 IE 阻止了 cookie(包括会话 cookie),而 Chrome 没有。我在阅读http://www.daniweb.com/web-development/php/threads/294235 后得到了这个想法。我不确定解决方法。当我发现更多信息时,我会保持更新。欢迎其他人提供任何意见![/edit]
[edit-2]好的,正如所承诺的,这就是解决方案。您需要像这样激活 P3P:
header('P3P: CP="CAO PSA OUR"');
将此添加到您正在使用会话的代码顶部。我在Session Lost on IE Facebook App iFrame找到了解决方案
为了完整起见,这是我正在使用的代码(查看登录方法)-
<?php
/**
* This class provides Facebook specfic utility functions that you may use
* to build your app.
*/
require_once('AppInfo.php');
require_once('utils.php');
class FBUtils {
/*****************************************************************************
*
* The content below provides some helper functions that you may wish to use as
* you develop your app.
*
****************************************************************************/
/**
* GETs graph.facebook.com/$target, and returns it as decoded JSON
* To learn more about the Graph API, visit:
* 'https://developers.facebook.com/docs/refererence/api'
*
* @return graph api content of $target
*/
public static function fetchFromFBGraph($target) {
return self::curl('https://graph.facebook.com/' . $target);
}
/**
* Uses FQL (Facebook Query Language) to return the result of $query with the
* access-token $token. FQL is used to process more complex requests that the
* graph API does not directly expose. For more information, visit
'https://developers.facebook.com/docs/reference/fql'
*
* @return Facebook Query result for $query
*/
public static function fql($query, $token) {
$query = urlencode($query);
return self::curl("https://api.facebook.com/method/fql.query?query=$query&format=json&access_token=$token");
}
/**
* Helper function
* @return the JSON decoded results of curling $url
*/
public static function curl($url) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
return json_decode(curl_exec($ch), true);
}
/**
* Authenticates the current viewer of the app, prompting them to login and
* grant permissions if necessary. For more information, check the
* 'https://developers.facebook.com/docs/authentication/'
*
* @return app access token if login is successful
*/
public static function login($redirect) {
$app_id = AppInfo::appID();
//echo "app id: $app_id <br>";
$app_secret = AppInfo::appSecret();
//echo "app secret: $app_secret <br>";
$home = AppInfo::getHome();
//echo "home: $home <br>";
// Scope defines what permissions that we are asking the user to grant.
// In this example, we are asking for the ability to publish stories
// about using the app, access to what the user likes, and to be able
// to use their pictures. You should rewrite this scope with whatever
// permissions your app needs.
// See https://developers.facebook.com/docs/reference/api/permissions/
// for a full list of permissions
$scope = 'user_likes,user_photos,user_photo_video_tags,publish_stream';
//session_start();
$code = $_REQUEST["code"];
// If we don't have a code returned from Facebook, the first step is to get
// that code
if (empty($code)) {
//echo "test"; exit();
// CSRF protection - for more information, look at 'Security Considerations'
// at 'https://developers.facebook.com/docs/authentication/'
$state = md5(uniqid(rand(), TRUE));
setcookie(
AppInfo::appID() . '-fb-app',
$state,
$expires = time()+3600,
$path = "",
$domain = "",
$secure = "",
$httponly = true);
$_SESSION[AppInfo::appID() . '-fb-app'] = $state;
echo session_id(); exit(); // debugging output
// Now form the login URL that you will use to authorize your app
$authorize_url = "https://www.facebook.com/dialog/oauth?client_id=$app_id" .
"&redirect_uri=$home&state=" . $state . "&scope=$scope";
// Now we redirect the user to the login page
echo("<script> window.location.href='" . $authorize_url . "'</script>");
return false;
// Once we have that code, we can now request an access-token. We check to
// ensure that the state has remained the same.
} else
{
echo $_REQUEST['state']."|"; echo $_SESSION[AppInfo::appID() . '-fb-app']; exit(); // debugging output
if ($_REQUEST['state'] === $_COOKIE[AppInfo::appID() . '-fb-app']) {
$ch = curl_init("https://graph.facebook.com/oauth/access_token");
curl_setopt($ch, CURLOPT_POSTFIELDS,
"client_id=$app_id&redirect_uri=$home&client_secret=$app_secret" .
"&code=$code&scope=$scope");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
// Once we get a response, we then parse it to extract the access token
parse_str($response, $params);
$token = $params['access_token'];
return $token;
// In the event that the two states do not match, we return false to signify
// that something has gone wrong during authentication
}}
//else {
// echo("States do not match. CSRF?");
// return false;
//}
}
}