Facebook server login doesn't retrieve info if user refreshes page

Question

the code is according to fb manual, and i ve noticed that if the user refreshes the page, i can't retrieve the id of the user..the user will need to clear from the address bar the entire string after my url, in order to be able to obtain user info..

<?php 

   $app_id = "myid";
   $app_secret = "mysecretkey";
   $my_url = "http://myurl.php";

   session_start();

   $code = $_REQUEST["code"];

   if(empty($code)) {
     $_SESSION['state'] = md5(uniqid(rand(), TRUE)); // CSRF protection
     $dialog_url = "https://www.facebook.com/dialog/oauth?client_id=" 
       . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
       . $_SESSION['state'] . "&scope=publish_actions";

     header("Location: " . $dialog_url);
   }
   if($_SESSION['state'] && ($_SESSION['state'] === $_REQUEST['state'])) {
     $token_url = "https://graph.facebook.com/oauth/access_token?"
       . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
       . "&client_secret=" . $app_secret . "&code=" . $code;

     $response = file_get_contents($token_url);
     $params = null;
     parse_str($response, $params);

     $_SESSION['access_token'] = $params['access_token'];

     $graph_url = "https://graph.facebook.com/me?access_token=" 
       . $params['access_token'];

     $user = json_decode(file_get_contents($graph_url));
   echo var_dump($user);
   else {
     echo("The state does not match. You may be a victim of CSRF.");
   }

var_dump returns to me all necessary information after first redirect, but if i refresh the page it returns null.. perhaps i need to "destroy" any session cookies??

score 1 · Accepted Answer · answered Apr 25 '13 at 11:20

1

This happens cause the $code that you are using is no longer valid and has been consumed.
Also might I suggest you to use Facebook's PHP SDK. It would reduce time to develop your app and take care of these errors for you.

answered Apr 25 '13 at 11:20

Anvesh Saxena

4,458
2
23
30

i m making a login for an external site..i don't know if i m making sth wrong, but i can't get sdk to work, not to mention that i don't see any reference for the php-sdk in the documentation regarding server side auth https://developers.facebook.com/docs/howtos/login/server-side-login – nikolas Apr 25 '13 at 12:15
@nikolas You are correct, they haven't used PHP SDK in their How to but there is an example for the same [here](https://github.com/facebook/facebook-php-sdk/blob/master/examples/example.php). Even if you are doing the current implementation for an external site I would like you to redirect on the page stripping the code parameter after you have saved access token in Session – Anvesh Saxena Apr 25 '13 at 12:21
it still doesn't seem to redirect me so that i can login with fb and then get back to my app.. is there any way on reload, to clear the query string from the url, so that it doesn't get the no longer valid code? – nikolas Apr 25 '13 at 13:44
1

You can send redirect after you save like `header("Location:yourpage.php");` so there is no valid code available and on your page check for the existence of access token in session. – Anvesh Saxena Apr 25 '13 at 18:24
hi Anvesh, i just noticed your answer and i have ended up with a similar solutiion..i ll post it as an answer and thank you very much for your contribution – nikolas Apr 26 '13 at 07:21

score 1 · Answer 2 · answered Apr 26 '13 at 07:25

i altered the code a little bit, in order to by pass the problem..

 $graph_url = "https://graph.facebook.com/me?access_token=" 
   . $params['access_token'];

   if ($params['access_token'] == NULL) {
         header("Location: " . $my_url);
   }

 $user = json_decode(file_get_contents($graph_url));
 }

so, if the access_token is not valid, then the page is "forced" to be reloaded without any string query and retrieves a new one.. :) there was a usefull reference over here as well https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/ and many thanks to @Anvesh Saxena for his contribution

also a usefull reference http://stackoverflow.com/questions/3845151/is-there-a-way-to-check-if-facebook-access-token-is-still-valid — nikolas, Apr 26 '13 at 10:13

Facebook server login doesn't retrieve info if user refreshes page

2 Answers2