So, how can I use the status value to login the user to facebook and prevent CSRF?
This is automatically handled by the PHP PHP SDK . If you are going to write your own Facebook API calls, you will need to send state manually (if desired) according to the Facebook OAuth documentation.
When you create the login URL with BaseFacebook::getLoginUrl() , the first thing the function does is set the CSRF state token 1 which creates a hash using the PHP kernel mt_rand() , uniqid() and md5() , and also saves value as a session variable.
When a user is redirected back to your page, FBSDK checks to see if the state represented matches state in the session. If the values really match, state is cleared from the Facebook object and from the session, so all subsequent getLoginUrl() requests will receive a new state variable. 2
Theoretically, you can use your own state value with FBSDK by writing it to the fb_<your_app_id>_state session fb_<your_app_id>_state before creating the Facebook object, as a constructor for BaseFacebook and establishCSRFTokenState() both checks if state already exists in the session.
But this is likely to lead to greater complexity than necessary.
- see
BaseFacebook::establishCSRFTokenState() - see
BaseFacebook::getCode()