How can we help you today?
SocialError : The state parameters did not match (CSRF attack?).
20 CommentsSorted by Oldest First
Are you using any other libraries? I suspect some client-side routing mechanism rewrites the url and strips out the state parameter. What is the URL you’re redirecting back to?
Hmm, Yea that could be. I am rewriting my URL's. I will take a look into it first thing Monday and post back if the problem was solved. Thanks!
i'm also seeing the same error. What redirect URL should I put in facebook? My log in page is located at http://localhost:8000/#/tab/account. I put http://localhost:8000/ as my website URL.
I'm having the same issue.... localhost as the URL, just using the demo code here:
https://github.com/Kinvey/SignIn-Angular
Twitter works but not Facebook.
https://github.com/Kinvey/SignIn-Angular
Twitter works but not Facebook.
The problem is the Angular router uses a `#` for its routing. So the URL after the redirect back cannot be read successfully. I think this is solvable by manually specifying the redirect URL:
```
Kinvey.Social.connect(null, 'facebook', { redirect: 'http://localhost:8000/' });
```
```
Kinvey.Social.connect(null, 'facebook', { redirect: 'http://localhost:8000/' });
```
That wasn't able to fix my problem. So, my page starts off as http://localhost:8080/#/discover. Click on sign-in, and I've tried setting the redirect to both http://localhost:8080 and localhost:8080/#/discover, but neither work. Going straight to localhost:8080 redirects to http://localhost:8080/#/discover.
Hey I am also still having problems. I did find the reason why but I am not sure how to solve it.
In my application, when the user loads the page I call history.replaceState to fix any bad URL's the user may have typed in. If I call replaceState to set the URL to the correct URL it causes the facebook login to stop working.
I have also tried making the state variable on replaceState set to null, like it is if I dont call replaceState, but this didn't help. It seems the only way to fix the issue is not to use replaceState or pushState? Does anyone knows a way around this?
In my application, when the user loads the page I call history.replaceState to fix any bad URL's the user may have typed in. If I call replaceState to set the URL to the correct URL it causes the facebook login to stop working.
I have also tried making the state variable on replaceState set to null, like it is if I dont call replaceState, but this didn't help. It seems the only way to fix the issue is not to use replaceState or pushState? Does anyone knows a way around this?
Me too. The manual redirect doesn't work. I also run the demo in iOS simulator, encountering the same error "The state parameters did not match (CSRF attack?).". But running the demo on localhost:8000, it can work sometimes.
The trick is to intercept the url and avoid the redirect somehow. This seems more an AngularJS routing problem though, so I’d recommend using the [AngularJS boards](https://groups.google.com/forum/#!forum/angular).
Thanks. Will look in the AngularJS board. I noticed that when I run the demo using phonegap in iOS simulator, it doesn't redirect or pop up the facebook login screen. Does anyone know how to enable the redirect/popup?
I solved this by opening a new window without rewriting any urls and once the login was complete, returned to the previous window. Probably the way I should have done it in the beginning anyway. Works great.
> @kueckermann said:
> I solved this by opening a new window without rewriting any urls and once the login was complete, returned to the previous window. Probably the way I should have done it in the beginning anyway. Works great.
Hi, any chance you could elaborate on this? My sign in page is at localhost:3000/#/signin and when I attempt to login with facebook, it opens a new popup with the url of localhost:3000/undefined, closes the window, and returns to the same sign in page. Yet it does create a user in the users table.
Stuck.
> I solved this by opening a new window without rewriting any urls and once the login was complete, returned to the previous window. Probably the way I should have done it in the beginning anyway. Works great.
Hi, any chance you could elaborate on this? My sign in page is at localhost:3000/#/signin and when I attempt to login with facebook, it opens a new popup with the url of localhost:3000/undefined, closes the window, and returns to the same sign in page. Yet it does create a user in the users table.
Stuck.
I did try the manual redirect, but had no luck.
> @kalvin said:
> That wasn't able to fix my problem. So, my page starts off as http://localhost:8080/#/discover. Click on sign-in, and I've tried setting the redirect to both http://localhost:8080 and localhost:8080/#/discover, but neither work. Going straight to localhost:8080 redirects to http://localhost:8080/#/discover.
Same scenario for me. Were you able to resolve this?
> That wasn't able to fix my problem. So, my page starts off as http://localhost:8080/#/discover. Click on sign-in, and I've tried setting the redirect to both http://localhost:8080 and localhost:8080/#/discover, but neither work. Going straight to localhost:8080 redirects to http://localhost:8080/#/discover.
Same scenario for me. Were you able to resolve this?
kueckermann
Im trying to setup login with facebook on my Webapp.
If I call _Kinvey.Social.connect(null, 'facebook')_ and wait when the new page opens and connects to facebook, then when it closes and goes back to my app's page I get this error:
**debug: "The state parameters did not match (CSRF attack?)."
description: "The social identity cannot be obtained."
name: "SocialError"**
But if, as soon as the new page opens to connect to facebook, I change tabs back to my apps webpage then when connection with facebook is done, it is successful.
Hope this makes sense. Just to reiterate. If I wait for the automatic change back to my web app then it fails but it I change manually back to my web app before the automatic change happens then it succeeds.
Any idea why?
Thanks.