I am trying to play around with authentication for an app I am working on atm. The app will be tab based. I am now strugling with an infinite loop while trying to authenticate the app. The authentication procces is like this:
if (!isset($_REQUEST["code"])) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $appId . "&redirect_uri=" . urlencode($redirectUri) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
exit;
}
if ($_REQUEST['state'] == $_SESSION['state']) {
$code = $_GET["code"];
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $appId . "&redirect_uri=" . urlencode($redirectUri)
. "&client_secret=" . $appSecret . "&code=" . $code;
$response = @file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
} else {
echo("The state does not match. You may be a victim of CSRF.");
}
The $redirectUri is now set to "http://www.facebook.com/pages/DummyPage/PAGE_ID?sk=app_APP_ID" but once I am redirected back, after the authentication, I am unable to read $_GET or $_REQUEST arrays because they are empty (even though I can see that the url I get after auth. has "code", "state" etc. in it). This will result in infinite loop, because I am stuck in the first if statement.
What is interesting here is that when I change the $redirectUri to the url where my app sits in - right now I am testing it on localhost - so I put in "http://localhost/test/index.php" - the infinite loop wont happen because I am redirected outside facebook and I can read from $_GET array.
I need to stay on facebook when authenticating. Do you guys know how to get around this problem?
