【问题标题】:facebook web app, getting error 'The state does not match. You may be a victim of CSRF'facebook web 应用程序,出现错误'状态不匹配。你可能是 CSRF 的受害者
【发布时间】:2011-11-06 10:44:31
【问题描述】:

我正在使用来自 facebook 应用开发者网站的代码。我试过了,我收到以下错误:

"The state does not match. You may be a victim of CSRF"

使用的代码如下:

  <?php 

   $app_id = "YOUR_APP_ID";
   $app_secret = "YOUR_APP_SECRET";
   $my_url = "YOUR_URL";

   session_start();
   $code = $_REQUEST["code"];

   if(empty($code)) {
     $_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
     $dialog_url = "http://www.facebook.com/dialog/oauth?client_id=" 
       . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
       . $_SESSION['state'];

     echo("<script> top.location.href='" . $dialog_url . "'</script>");
   }

   if($_REQUEST['state'] == $_SESSION['state']) {
     $token_url = "https://graph.facebook.com/oauth/access_token?"
       . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
       . "&client_secret=" . $app_secret . "&code=" . $code;

     $response = file_get_contents($token_url);
     $params = null;
     parse_str($response, $params);

     $graph_url = "https://graph.facebook.com/me?access_token=" 
       . $params['access_token'];

     $user = json_decode(file_get_contents($graph_url));
     echo("Hello " . $user->name);
   }
   else {
     echo("The state does not match. You may be a victim of CSRF.");
   }

 ?>

从代码中可以看出,出于某种原因,$_REQUEST['state'] != $_SESSION['state']。有人可以解释为什么会这样。我也是PHP爱好者。

谢谢你:)

【问题讨论】:

    标签: facebook facebook-graph-api


    【解决方案1】:

    使用 SDK,更简单。

    此代码获取用户数据并将其序列化,然后输入数据库,我知道它并不完美,但请看一看。当我有空闲时间时,我将对其进行编辑,然后我建议将用户数据编码为 JSON,而不是 base64 序列化,因为将来进行查询搜索会更容易。

        <?php
            require 'facebook.php'; // USE FACEBOOK PHP SDK
    
            // Create our Application instance (replace this with your appId and secret).
            $facebook = new Facebook(array(
              'appId'  => 'APPID',
              'secret' => 'APPSECRET',
            ));
            // ----------------------------------------------------------------------------------------
            // ----------------------------------------------------------------------------------------
    
            // Get User ID
            $user = $facebook->getUser();
    
            /* We may or may not have this data based on whether the user is logged in.
               If we have a $user id here, it means we know the user is logged into
               Facebook, but we don't know if the access token is valid. An access
               token is invalid if the user logged out of Facebook. */
    
            if ($user) {
              try {
                // Proceed knowing you have a logged in user who's authenticated.
                // these are the graph calls
                $dt = $facebook->api('/me');
                $lk = $facebook->api('/me/likes');
              } catch (FacebookApiException $e) {
                error_log($e);
                $user = null;
              }
            }
    
            // ----------------------------------------------------------------------------------------
            // ----------------------------------------------------------------------------------------
            // Handler for Login Status
            // With the LoginURL, user the 'scope' to ask for permissions
            if ($user) {
              $logoutUrl = $facebook->getLogoutUrl();
            } else {
              $loginUrl = $facebook->getLoginUrl(array("scope" => "email,user_birthday,user_likes,user_work_history,user_location,user_education_history"));
            }
            // ----------------------------------------------------------------------------------------
            ?>
            <?php if (!$user): header ('Location:'.$loginUrl.''); //CHECKS IF USER IS LOGGED IN
            else: 
    
     // Do Something here. This next bit of code shows what comes out of those calls.
          echo "<pre>"; 
          print_r($dt);
          echo"</pre>";
    
          echo"<br/><br/>";
    
          echo "<pre>"; 
          print_r($lk);
          echo"</pre>";
    
          endif
            ?>
    

    【讨论】:

      【解决方案2】:

      我确实意识到这个问题已经存在 2 个月了,但我在使用 Heroku 代码时遇到了类似的问题。我还没有完全调试它,但我注意到

      的输出
      session_id();
      

      刷新后 IE 中的变化,但在 Chrome 中保持不变,表明会话在 IE 中丢失。显然,会话的状态在 IE 中是空白的,当它在 Chrome 下正常工作时,您会收到 CSRF 错误。

      如果有人能对此有所了解,我将不胜感激。我会不断更新这个答案,因为我会更多地了解具体是什么导致了 IE 中的问题以及如何解决它。

      [编辑]呃。这是一个cookie问题。我的 IE 阻止了 cookie(包括会话 cookie),而 Chrome 没有。我在阅读http://www.daniweb.com/web-development/php/threads/294235 后得到了这个想法。我不确定解决方法。当我发现更多信息时,我会保持更新。欢迎其他人提供任何意见![/edit]

      [edit-2]好的,正如所承诺的,这就是解决方案。您需要像这样激活 P3P:

      header('P3P: CP="CAO PSA OUR"');
      

      将此添加到您正在使用会话的代码顶部。我在Session Lost on IE Facebook App iFrame找到了解决方案

      为了完整起见,这是我正在使用的代码(查看登录方法)-

      <?php
      
      /**
       * This class provides Facebook specfic utility functions that you may use
       * to build your app.
       */
      
      
      require_once('AppInfo.php');
      require_once('utils.php');
      
      class FBUtils {
      
        /*****************************************************************************
         *
         * The content below provides some helper functions that you may wish to use as
         * you develop your app.
         *
         ****************************************************************************/
      
        /**
         * GETs graph.facebook.com/$target, and returns it as decoded JSON
         * To learn more about the Graph API, visit:
         *  'https://developers.facebook.com/docs/refererence/api'
         *
         * @return graph api content of $target
         */
        public static function fetchFromFBGraph($target) {
         return self::curl('https://graph.facebook.com/' . $target);
        }
      
        /**
         * Uses FQL (Facebook Query Language) to return the result of $query with the
         * access-token $token.  FQL is used to process more complex requests that the
         * graph API does not directly expose.  For more information, visit
            'https://developers.facebook.com/docs/reference/fql'
         *
         * @return Facebook Query result for $query
         */
        public static function fql($query, $token) {
          $query = urlencode($query);
          return self::curl("https://api.facebook.com/method/fql.query?query=$query&format=json&access_token=$token");
        }
      
        /**
         * Helper function
         * @return the JSON decoded results of curling $url
         */
        public static function curl($url) {
          $ch = curl_init($url);
          curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
          return json_decode(curl_exec($ch), true);
        }
      
        /**
         * Authenticates the current viewer of the app, prompting them to login and
         * grant permissions if necessary.  For more information, check the
         * 'https://developers.facebook.com/docs/authentication/'
         *
         * @return app access token if login is successful
         */
        public static function login($redirect) {
          $app_id = AppInfo::appID();
          //echo "app id: $app_id <br>";
          $app_secret = AppInfo::appSecret();
          //echo "app secret: $app_secret <br>";
          $home = AppInfo::getHome();
          //echo "home: $home <br>";
          // Scope defines what permissions that we are asking the user to grant.
          // In this example, we are asking for the ability to publish stories
          // about using the app, access to what the user likes, and to be able
          // to use their pictures.  You should rewrite this scope with whatever
          // permissions your app needs.
          // See https://developers.facebook.com/docs/reference/api/permissions/
          // for a full list of permissions
          $scope = 'user_likes,user_photos,user_photo_video_tags,publish_stream';
          //session_start();
          $code = $_REQUEST["code"];
          // If we don't have a code returned from Facebook, the first step is to get
          // that code
          if (empty($code)) {
              //echo "test"; exit();
            // CSRF protection - for more information, look at 'Security Considerations'
            // at 'https://developers.facebook.com/docs/authentication/'
            $state = md5(uniqid(rand(), TRUE));
            setcookie(
              AppInfo::appID() . '-fb-app',
              $state,
              $expires = time()+3600,
              $path = "",
              $domain = "",
              $secure = "",
              $httponly = true); 
              $_SESSION[AppInfo::appID() . '-fb-app'] = $state;
              echo session_id(); exit(); // debugging output
            // Now form the login URL that you will use to authorize your app
            $authorize_url = "https://www.facebook.com/dialog/oauth?client_id=$app_id" .
      "&redirect_uri=$home&state=" . $state . "&scope=$scope";
            // Now we redirect the user to the login page
            echo("<script> window.location.href='" . $authorize_url . "'</script>");
            return false;
          // Once we have that code, we can now request an access-token.  We check to
          // ensure that the state has remained the same.
          } else 
          {
              echo $_REQUEST['state']."|"; echo $_SESSION[AppInfo::appID() . '-fb-app']; exit(); // debugging output
          if ($_REQUEST['state'] === $_COOKIE[AppInfo::appID() . '-fb-app']) {
            $ch = curl_init("https://graph.facebook.com/oauth/access_token");
            curl_setopt($ch, CURLOPT_POSTFIELDS,
              "client_id=$app_id&redirect_uri=$home&client_secret=$app_secret" .
              "&code=$code&scope=$scope");
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            $response = curl_exec($ch);
            // Once we get a response, we then parse it to extract the access token
            parse_str($response, $params);
            $token = $params['access_token'];
            return $token;
          // In the event that the two states do not match, we return false to signify
          // that something has gone wrong during authentication
          }}
          //else {
          //  echo("States do not match.  CSRF?");
          //  return false;
          //}
        }
      }
      

      【讨论】:

        猜你喜欢
        • 2013-11-16
        • 2022-01-13
        • 1970-01-01
        • 1970-01-01
        • 2011-11-12
        • 1970-01-01
        • 2013-11-09
        • 1970-01-01
        • 1970-01-01
        相关资源
        最近更新 更多