PHP-SDK getUser() always 0 / not authenticated

1
votes

I'm using the A3M CodeIgniter library, with updated FB PHP-SDK 3.2.

I'm forced into updating from 2.x as Facebook retired their 'legacy' connection method the other day, and that's what the a3m framework used. So I updated to the SDK, and now cannot get the connect process working for a number of reasons:

  1. Infinite redirect of getLoginUrl()
  2. CSRF state token does not match one provided errors (not using getLoginUrl() if I get a user).
  3. User is ALWAYS 0, even tho I am logged in on FB.

I am really not sure what to do at this point.

My thoughts:

  • CodeIgniter could be stripping the response code / state ? Not sure
  • Authentication is failing / no errors being dropped other than CSRF error (not from CI!)
  • Many issues reported (especially on SO) with this infinite redirect from FB
  • Many issues reported on CSRF issue with PHP SDK.

REF:
https://github.com/facebook/facebook-php-sdk - FB SDK
https://github.com/pengkong/A3M-for-CodeIgniter-2.0 - A3M framework (which I am part of managing).

Ideas?

2
facebookfacebook-php-sdkcodeigniter-2csrf
I've experienced similar problems with the FB PHP SDK. One thing I always forget to check is that sandbox mode is enabled for local testing. Also, Chrome doesn't set domain cookies for localhost, which could cause issues (stackoverflow.com/a/8225269/222622) - devers
possible duplicate of Why is Facebook PHP SDK getUser always returning 0? - Barmar

2 Answers

2
votes

Destroy the session with $facebook->destroySession() for getting user 0.

Regarding 2 Facebook SDK code has a bug when checking against tokens twice in the same handler.

I edited the getCode function of facebook.php like this: 

protected function getCode() {
    if (!isset($_REQUEST['code']) || !isset($_REQUEST['state']) || $this->state === null) {
      return false;
    }
    if ($this->state === $_REQUEST['state']) {
        // CSRF state has done its job, so clear it
        $this->state = null;
        $this->clearPersistentData('state');
        return $_REQUEST['code'];
    }
    self::errorLog('CSRF state token does not match one provided.');

    return false;
}

to be more clear and does not state invalid token if called twice.

To be clear the function can be called twice on the same url handler if eg:

$facebook->getUser(); and then in the same handler $facebook->getLogoutUrl() then the getCode() is called twice thus resulting into and invalid error message

0
votes

Try to replace fb_ca_chain_bundle.crt in modules/account/helper with the one from https://github.com/facebook/facebook-php-sdk/tree/master/src