StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POFacebook Auth and CSRF mechanism
primarykey
Id
7806443
data
AcceptedAnswerId
0
AnswerCount
1
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2011-10-18T11:24:45.590
FavoriteCount
2
LastActivityDate
2011-10-25T06:28:47.427
LastEditDate
2011-10-23T16:49:41.310
LastEditorUserId
53114
OwnerUserId
950218
ParentId
0
PostTypeId
1
Score
0
ViewCount
1557
LastEditorDisplayName
text
Body
I am currently building a website using facebook authentication. I am running locally and keep getting CSRF errors. I am trying to understand their CSRF protection mechanism: <pre><code> $code = $_REQUEST["code"]; $_SESSION['state']= $_REQUEST['state'];//GETS SITE WORKING BUT UNSAFE!!!/// if(empty($code)) { $_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection $dialog_url = "http://www.facebook.com/dialog/oauth?client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state=" . $_SESSION['state']; echo("<script> top.location.href='" . $dialog_url . "'</script>"); } if($_REQUEST['state'] == $_SESSION['state']) { </code></pre> What happens is that it seems my $_REQUEST['state'] is set but my $_SESSION['state'] is not. Hence to get it working i have the line which sets both equal. My $code variable never seems to be empty hence a new $_SESSION['state' variable is never set. Firstly what is the role of $_REQUEST['code'] and where does this/is this variable come from/set? Any ideas how to fix this with my unsafe line of code? p.s I know I should use the FB sdk, but am learning web design/security so this is a good exercise to learn how it works!! Many Thanks Sam <hr> To anybody who is interested, I have worked out how it works, but still haven't fixed my problem...Anyway The CSFR protection system works by saving a State 'ID' on the server-side in the $_SESSION['state'], the same ID is saved also inside the $_REQUEST['state'] , so on the client side. This therefore means if a CSRF attack occurs, the state value of the CSRF attack (client side) won't match that of $_SESSION['state'] hence the code does not proceed and the attack is prevented. Please correct me if I am wrong!
Tags
<php><facebook><facebook-graph-api><csrf>
Title
Facebook Auth and CSRF mechanism
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USGumbo
UserOwnerUserId
1. USSam Palmer
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POFacebook Auth and CSRF mechanism
 UserUserId
 USifaour
 VoteTypeVoteTypeId
 VTFavorite
2. VO
 singulars
 PostPostId
 POFacebook Auth and CSRF mechanism
 UserUserId
 USuser1857586
 VoteTypeVoteTypeId
 VTFavorite
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.