The following is an example taken from Facebook's authentication page. What is the idea behind adding data to the session and then redirecting to a URL using javascript? Also why do an md5 hash of a uniqid?
<?php
$app_id = "YOUR_APP_ID";
$app_secret = "YOUR_APP_SECRET";
$my_url = "YOUR_URL";
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
}
else {
echo("The state does not match. You may be a victim of CSRF.");
}
?>
I know this will probably get slated as it is a wikipedia link, but you can find a full explanation of csrf here http://en.wikipedia.org/wiki/Cross-site_request_forgery, once you fully understand what it is you will understand how having a unique token per user can protect against it. The prevention section lists using a per-user token as a method of prevention.
It ensures that you are being redirected here only in response to an action initiated by the site. Read up on CSRF at https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29.
By generating a hard (impossible) to guess value ans storing it in a session as well as sending it with a request, this script can verify if it was called by itself instead of somewhere else. somewhere else the hard to guess value would be unknwon and could thus not be supplied.
Related
I have an app that posts to people's Facebook pages and profiles. The below code has been in place for about 2 years. Now, for new users, when my app logs into Facebook and asks for permissions, it does not ask for manage_pages, even though its explicitly listed below.
Did something on the Facebook side change which requires me to change my code?
Thanks,
Brian
if (isset($_REQUEST["code"]))
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); // CSRF protection
$dialog_url = "https://www.facebook.com/dialog/oauth?client_id="
. $FBAPPID . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'] . "&scope=publish_actions,manage_pages,publish_pages";
header("Location: " . $dialog_url);
exit;
}
if($_SESSION['state'] && ($_SESSION['state'] === $_REQUEST['state'])) {
// state variable matches
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $FBAPPID . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $FBSECRET . "&code=" . $code;
$response = file_get_contents($token_url);
... (more stuff)
the code is according to fb manual, and i ve noticed that if the user refreshes the page, i can't retrieve the id of the user..the user will need to clear from the address bar the entire string after my url, in order to be able to obtain user info..
<?php
$app_id = "myid";
$app_secret = "mysecretkey";
$my_url = "http://myurl.php";
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); // CSRF protection
$dialog_url = "https://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'] . "&scope=publish_actions";
header("Location: " . $dialog_url);
}
if($_SESSION['state'] && ($_SESSION['state'] === $_REQUEST['state'])) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$_SESSION['access_token'] = $params['access_token'];
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo var_dump($user);
else {
echo("The state does not match. You may be a victim of CSRF.");
}
var_dump returns to me all necessary information after first redirect, but if i refresh the page it returns null..
perhaps i need to "destroy" any session cookies??
This happens cause the $code that you are using is no longer valid and has been consumed.
Also might I suggest you to use Facebook's PHP SDK. It would reduce time to develop your app and take care of these errors for you.
i altered the code a little bit, in order to by pass the problem..
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
if ($params['access_token'] == NULL) {
header("Location: " . $my_url);
}
$user = json_decode(file_get_contents($graph_url));
}
so, if the access_token is not valid, then the page is "forced" to be reloaded without any string query and retrieves a new one.. :)
there was a usefull reference over here as well https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/
and many thanks to #Anvesh Saxena for his contribution
I want that users can authenticate through their fb account, and i tried their demo script:
$app_id = "*****";
$app_secret = "*****";
$my_url = "http://localhost/fb/fb.php";
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = #file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
echo "$user->name";
}
else {
echo("The state does not match. You may be a victim of CSRF.");
}
The problem is that after a successful login only the "Hello" string is displayed, but my $user->name is not showed.
Even though this is official FB code (I didn't realize that at the start, sorry), I recommend you debug it to see what goes wrong.
Activate error reporting
Remove the # in front of all calls - it suppresses the output of errors
Look what address $graph_url contains and whether you can access it in your browser
See whether the call to $graph_url works out (output the result)
See whether the json_decode() works out (output the result)
if this is a global or Facebook issue, you may need to talk to Facebook about what is wrong with their demo code.
The Facebook authentication example given at http://developers.facebook.com/docs/authentication/ tries to prevent CSRF by inserting a random grouping of information into the status part of the auth_request. When that auth_request returns, the code checks to make sure that same random group has been returned with the request. How does that precent CSRF?
The code:
<?php
$app_id = "YOUR_APP_ID";
$app_secret = "YOUR_APP_SECRET";
$my_url = "YOUR_URL";
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
}
else {
echo("The state does not match. You may be a victim of CSRF.");
}
?>
The bit of information is added to the request here:
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
And checked here:
if($_REQUEST['state'] == $_SESSION['state'])
How does ensuring they have the same "state" ensure no CSRF?
Thanks
The hash (or state) is generated by you for each request to the web service (Facebook) and stored in the session on your server. This hash is sent with the request to Facebook from your website. Facebook sends the exact same hash back as a parameter on the response.
All you do is check if the hash generated before the request matches the one in the response.
MyWebsite | Facebook
---------------+-----------------
|
Generate $hash |
Store $hash |
|
$hash
----------------------->
|
$hash
<-----------------------
|
Check $hash |
This prevents CSRF because the hash is different for each request. Obviously, if you use the same string for each request, anyone who knows (or guesses) it will be able to forge a response.
Once the request is complete, check the hash from the session and the hash in the response both match. If they don't match, it's likely to be a forged response. After you check, clear the value from the session as you won't be needing it again.
In general cases (not just Facebook's implementation), it's often wise to also store a timeout for the hash. This will prevent a hash from an incomplete request being used/exploited at a later date. There is no single time that will fit all applications and cases, but in the case of a secondary request/action like this, 30s-1 minute would do.
im trying to import "log in with facebook" opportunity to my website, im using http://developers.facebook.com/docs/authentication, but still can not make it work.
I register my website and have app id and app secret.
I have the following code in my login form:
<img src="images/fb-login-button.png" />
facebook.php file:
<?php
$app_id = 1000000000000;
$app_secret = "asdasdasdasd";
$my_url = "http://xxxx.xx/";
$code = $_REQUEST["code"];
if(empty($code)) {
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url);
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
$token_url = "https://graph.facebook.com/oauth/access_token?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&client_secret="
. $app_secret . "&code=" . $code;
$access_token = file_get_contents($token_url);
$graph_url = "https://graph.facebook.com/me?" . $access_token;
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
?>
It returns message "undefined index code" and I have no idea where and what to change.
Please, help!
The error you're getting is telling you that the "code" parameter you're looking for in the request:
$code = $_REQUEST["code"];
is not being submitted.. E.g. you either need to post "code" to the page or pass it via GET using facebook.php?code=something
To avoid running into errors when the parameter "code" is not sent, your code could look like:
if(!isset( $_REQUEST["code"] ) ) {
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url);
echo("<script> top.location.href='" . $dialog_url . "'</script>");
} else {
$code = $_REQUEST["code"];
}
Hope that helps..