CSRF状态令牌不匹配一个提供的FB PHP SDK 3.1.1 Oauth 2.0 [英] CSRF state token does not match one provided FB PHP SDK 3.1.1 Oauth 2.0

问题描述

我的服务器日志显示几乎每个用户似乎都发生了CSRF状态令牌与提供的不匹配错误。但是，用户被创建和/或验证，我可以检索用户信息。我正在使用带有Apache的Linux服务器。我也使用最新的Facebook PHP SDK v.3.1.1任何人都可以告诉我为什么会发生这种情况以及如何解决？

My server logs show a "CSRF state token does not match one provided" error which seems to happen for almost every user. However, the users are created and/or authenticated and I am able to retrieve the user info. I am using a Linux server with Apache. I am also using the latest Facebook PHP SDK v.3.1.1 Can anyone tell me why this is happening and how to fix it?

推荐答案

我上周遇到类似的问题，并将其追踪到状态字段被多次调用 getLoginUrl（）。每次调用 getLoginUrl（）时，SDK将生成新的状态标记，并存储在 $ _ SESSION （它只是一个随机值），所以如果你打了两次，用户使用第一个链接登录，第二个调用将重置SDK的内部状态令牌，您将在日志中收到此错误。

I had a similar issue last week, and tracked it down to the state field being overwritten by multiple calls to getLoginUrl(). Each time you call getLoginUrl(), a new state token is generated in the SDK and stored in the $_SESSION (it's just a random value), so if you call it twice and the user uses the first link to log in, the second call will have reset the SDK's internal state token, and you will get this error in your logs.

SDK查找相同的状态在Facebook授权用户并将其重定向到您的网站后，URL中的令牌返回，如果不匹配，则会记录此错误（这里是来源）。

The SDK looks for the same state token in the URL coming back after Facebook authorizes the user and redirects them back to your site, and if it doesn't match it will log this error (here's a link to the source).

这篇关于CSRF状态令牌不匹配一个提供的FB PHP SDK 3.1.1 Oauth 2.0的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！