Merge pull request facebookarchive#628 from SammyK/master

SammyK · web-flow · commit 535eb8ad4a11 · 2016-08-06T15:40:04.000-05:00
Reset the CSRF so that it does not get reused
diff --git a/src/Facebook/Helpers/FacebookRedirectLoginHelper.php b/src/Facebook/Helpers/FacebookRedirectLoginHelper.php
@@ -219,6 +219,7 @@ public function getAccessToken($redirectUrl = null)
         }
 
         $this->validateCsrf();
+        $this->resetCsrf();
 
         $redirectUrl = $redirectUrl ?: $this->urlDetectionHandler->getCurrentUrl();
         // At minimum we need to remove the state param
@@ -250,6 +251,14 @@ protected function validateCsrf()
         throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.');
     }
 
+    /**
+     * Resets the CSRF so that it doesn't get reused.
+     */
+    private function resetCsrf()
+    {
+        $this->persistentDataHandler->set('state', null);
+    }
+
     /**
      * Return the code.
      *

Original file line number	Diff line number	Diff line change
`@@ -219,6 +219,7 @@ public function getAccessToken($redirectUrl = null)`
`219`	`219`	`}`
`220`	`220`
`221`	`221`	`$this->validateCsrf();`
	`222`	`+ $this->resetCsrf();`
`222`	`223`
`223`	`224`	`$redirectUrl = $redirectUrl ?: $this->urlDetectionHandler->getCurrentUrl();`
`224`	`225`	`// At minimum we need to remove the state param`
`@@ -250,6 +251,14 @@ protected function validateCsrf()`
`250`	`251`	`throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.');`
`251`	`252`	`}`
`252`	`253`
	`254`	`+ /**`
	`255`	`+ * Resets the CSRF so that it doesn't get reused.`
	`256`	`+ */`
	`257`	`+ private function resetCsrf()`
	`258`	`+ {`
	`259`	`+ $this->persistentDataHandler->set('state', null);`
	`260`	`+ }`
	`261`	`+`
`253`	`262`	`/**`
`254`	`263`	`* Return the code.`
`255`	`264`	`*`