The Laravel Socialite docs say:
The
statelessmethod may be used to disable session state verification. This is useful when adding social authentication to an API:
return Socialite::driver('google')->stateless()->user();
"Disable session state verification" sounds scary to me. The docs don't elaborate on what the security trade-off is.
In what cases is session state verification important, and why?
Background info and context:
My Socialite flow (using Facebook) is working completely fine when I use stateless().
But if I remove stateless(), only the "normal case" part of my flow works, and the part of the flow that re-requests "email" permissions (if a user omits them at first) does not work and instead results in Laravel\Socialite\Two\InvalidStateException.
Also, I'm not calling $provider->stateless()->user() more than once per request because I know from these docs that it removes a "state" variable from the session and therefore would fail on subsequent calls.
(I use getRedirectLoginHelper()->getReRequestUrl($redirectUrl, ['email']). See FacebookRedirectLoginHelper doc)
from Newest questions tagged laravel-5 - Stack Overflow http://bit.ly/2WfZZK4
via IFTTT
Aucun commentaire:
Enregistrer un commentaire