I want that users can authenticate through their fb account, and i tried their demo script:
$app_id = "*****";
$app_secret = "*****";
$my_url = "http://localhost/fb/fb.php";
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = #file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
echo "$user->name";
}
else {
echo("The state does not match. You may be a victim of CSRF.");
}
The problem is that after a successful login only the "Hello" string is displayed, but my $user->name is not showed.
Even though this is official FB code (I didn't realize that at the start, sorry), I recommend you debug it to see what goes wrong.
Activate error reporting
Remove the # in front of all calls - it suppresses the output of errors
Look what address $graph_url contains and whether you can access it in your browser
See whether the call to $graph_url works out (output the result)
See whether the json_decode() works out (output the result)
if this is a global or Facebook issue, you may need to talk to Facebook about what is wrong with their demo code.
Related
I am trying to end up with some descent facebook login on my website, but I came up with a little problem. When i try to login, facebook doesn't even ask for an email permission, only for my location. Here's the main part of my code:
$app_id = "XXXXXX";
$app_secret = "XXXXX";
$my_url = "XXXXXX";
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); // CSRF protection
$dialog_url = "https://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state']."&scope=publish_stream,user_location,email";
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if (!$_POST) {
if($_SESSION['state'] && ($_SESSION['state'] === $_REQUEST['state'])) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$_SESSION['access_token'] = $params['access_token'];
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
} else {
echo("The state does not match. You may be a victim of CSRF.");
}
}
Where's the problem?
the code is according to fb manual, and i ve noticed that if the user refreshes the page, i can't retrieve the id of the user..the user will need to clear from the address bar the entire string after my url, in order to be able to obtain user info..
<?php
$app_id = "myid";
$app_secret = "mysecretkey";
$my_url = "http://myurl.php";
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); // CSRF protection
$dialog_url = "https://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'] . "&scope=publish_actions";
header("Location: " . $dialog_url);
}
if($_SESSION['state'] && ($_SESSION['state'] === $_REQUEST['state'])) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$_SESSION['access_token'] = $params['access_token'];
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo var_dump($user);
else {
echo("The state does not match. You may be a victim of CSRF.");
}
var_dump returns to me all necessary information after first redirect, but if i refresh the page it returns null..
perhaps i need to "destroy" any session cookies??
This happens cause the $code that you are using is no longer valid and has been consumed.
Also might I suggest you to use Facebook's PHP SDK. It would reduce time to develop your app and take care of these errors for you.
i altered the code a little bit, in order to by pass the problem..
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
if ($params['access_token'] == NULL) {
header("Location: " . $my_url);
}
$user = json_decode(file_get_contents($graph_url));
}
so, if the access_token is not valid, then the page is "forced" to be reloaded without any string query and retrieves a new one.. :)
there was a usefull reference over here as well https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/
and many thanks to #Anvesh Saxena for his contribution
I am trying to get Facebook profile picture . I am using the following with my value in place of ######### . After running the PHP i get a message "Hello".
I want that i get my name also with it like "Hellow Aditya" along with my profile picture. what should i edit to get that ? Also would it be possible to save the profile picture on the sever itself?
<?php
$app_id = ###############;
$app_secret = "#################";
$my_url = "###################";
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "https://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
}
else {
echo("The state does not match. You may be a victim of CSRF.");
}
?>
You can get it this way:
http://graph.facebook.com/[USER ID]/picture
The following is an example taken from Facebook's authentication page. What is the idea behind adding data to the session and then redirecting to a URL using javascript? Also why do an md5 hash of a uniqid?
<?php
$app_id = "YOUR_APP_ID";
$app_secret = "YOUR_APP_SECRET";
$my_url = "YOUR_URL";
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
}
else {
echo("The state does not match. You may be a victim of CSRF.");
}
?>
I know this will probably get slated as it is a wikipedia link, but you can find a full explanation of csrf here http://en.wikipedia.org/wiki/Cross-site_request_forgery, once you fully understand what it is you will understand how having a unique token per user can protect against it. The prevention section lists using a per-user token as a method of prevention.
It ensures that you are being redirected here only in response to an action initiated by the site. Read up on CSRF at https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29.
By generating a hard (impossible) to guess value ans storing it in a session as well as sending it with a request, this script can verify if it was called by itself instead of somewhere else. somewhere else the hard to guess value would be unknwon and could thus not be supplied.
im trying to import "log in with facebook" opportunity to my website, im using http://developers.facebook.com/docs/authentication, but still can not make it work.
I register my website and have app id and app secret.
I have the following code in my login form:
<img src="images/fb-login-button.png" />
facebook.php file:
<?php
$app_id = 1000000000000;
$app_secret = "asdasdasdasd";
$my_url = "http://xxxx.xx/";
$code = $_REQUEST["code"];
if(empty($code)) {
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url);
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
$token_url = "https://graph.facebook.com/oauth/access_token?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&client_secret="
. $app_secret . "&code=" . $code;
$access_token = file_get_contents($token_url);
$graph_url = "https://graph.facebook.com/me?" . $access_token;
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
?>
It returns message "undefined index code" and I have no idea where and what to change.
Please, help!
The error you're getting is telling you that the "code" parameter you're looking for in the request:
$code = $_REQUEST["code"];
is not being submitted.. E.g. you either need to post "code" to the page or pass it via GET using facebook.php?code=something
To avoid running into errors when the parameter "code" is not sent, your code could look like:
if(!isset( $_REQUEST["code"] ) ) {
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url);
echo("<script> top.location.href='" . $dialog_url . "'</script>");
} else {
$code = $_REQUEST["code"];
}
Hope that helps..