Author Options:

How to Implement Facebook Social Login Answered

good afternoon,

I have been trying to use "login with facebook" on my website for 15 days. I have been using the code published by Facebook, at the link https://developers.facebook.com/docs/facebook-log... web / v2.2.

My problem with this code is that I want the customer after login with his facebook (through the window that pop out) to be redirected to a specific page on my website, but what happens is that after the customer does login with your facebook, the client is redirected to the same page that asks him to login.

I have already followed the steps that are explained in the link that I mentioned earlier. Could someone help me? Thanks


The forums are retiring in 2021 and are now closed for new topics and comments.

11 months ago

I followed link you added. I copied the text that I felt most relevant to what you wrote. Might help focus your troubleshooting. If not, sorry I couldn't help. Good luck.

State Parameter
If you're using the Facebook login dialog on your website, the state parameter is a unique string that guards your application against Cross-site Request Forgery attacks.

Enable Strict Mode
Strict Mode keeps apps safe by preventing bad actors from hijacking your redirect. Enabling Strict Mode is required for all apps.

Before turning on Strict Mode in the App Dashboard, ensure your current redirect traffic still works by taking the following actions in Facebook Login settings:

For apps with dynamic redirect URIs, use the state parameter to pass back the dynamic information to a limited number of redirect URIs. Then add each of the limited redirect URIs to the Valid OAuth redirect URIs list.

For apps with a limited number of redirect URIs, add each one to the Valid OAuth redirect URIs list.

For apps using only the Facebook JavaScript SDK, redirect traffic is already protected. No further action is needed.
After taking these actions, make sure to enable strict mode.

How Strict Mode Works
Strict Mode prevents hijacking of your redirect URIs by requiring an exact match from your Valid OAuth redirect URIs list. For example, if your list contains www.example.com, then Strict Mode won't allow www.example.com/token as a valid redirect. It also won't allow any extra query parameters not present in your Valid OAuth redirect URIs list.

Use HTTPS, instead of HTTP, as an internet protocol, because it uses encryption. HTTPS keeps transmitted data private and guards against eavesdropping attacks. It also prevents data from being tampered with during transmission by, for example, introducing advertisements or malicious code.

On October 6, 2018, all apps will be required to use HTTPS.

Lock Down Your Facebook App Settings
Enable and/or disable any authentication flows that the app does not use to minimize attack surface area.

Use code-generated short-term access tokens in clients instead of client-generated tokens or server-provided long-term tokens. The code-generated short-term access tokens flow requires the app server to exchange the code for a token, which is more secure than obtaining a token in the browser. Apps should prefer using the this flow whenever possible to be more secure – if an app only enables this flow, malware running on a user’s computer cannot obtain an access token to abuse. Learn more in our access tokens documentation.

Disable Client OAuth Login if your app does not use it. Client OAuth Login is the global on-off switch for using OAuth client token flows. If your app does not use any client OAuth flows, which include Facebook login SDKs, you should disable this flow. Note, though, that you can't request permissions for an access token if you have Client OAuth Login disabled. This setting is found in the Products > Facebook Login > Settings section of the App Dashboard.

Disable Web OAuth Flow or Specify a Redirect Whitelist. Web OAuth Login settings enables any OAuth client token flows that use the Facebook web login dialog to return tokens to your own website. This setting is in the Products > Facebook Login > Settings section of the App Dashboard. Disable this setting if you are not building a custom web login flow or using the Facebook Login SDK on the web.

Enforce HTTPS. This setting requires HTTPS for OAuth Redirects, and it requires and Facebook JavaScript SDK calls that return or require an access token are only from HTTPS pages. All new apps created as of March 2018 have this setting on by default, and you should plan to migrate any existing apps to use only HTTPS URLs by October 6, 2018. Most major cloud application hosts provide free and automatic configuration of TLS certificates for your applications. If you self-host your app or your hosting service doesn't offer HTTPS by default, you can obtain a free certificate for your domain(s) from Let's Encrypt.

Disable embedded browser OAuth flow if your app does not use it. Some desktop and mobile native apps authenticate users by doing the OAuth client flow inside an embedded webview. If your app does not do this, then disable the setting in Products > Facebook Login > Settings section of the App Dashboard.

Disable mobile single sign on flows if your app does not use them. If your app does not use iOS or Android Login, disable the ‘Single Sign On’ setting in the iOS and Android sections of Settings > Basic .

The App Dashboard contains a number of additional settings which allow developers to shut down areas of attack that might otherwise lead to security issues:

Basic > App Secret if your app secret is ever compromised, you can reset it here.
Basic > App Domains use this to lock down the domains and subdomains which can be used to perform Facebook Login on behalf of your app.
Advanced > App Type when you create a native app for mobile or desktop and include the app secret within, set this to Native/Desktop to protect against your app being decompiled and your app secret stolen.
Advanced > Server IP Whitelist specifies a list of IP addresses from which Graph API calls can be made with your app secret. Graph API calls made with your app secret from outside of this range will fail. Calls made with user access tokens are not affected by this setting.
Advanced > Update Settings IP Whitelist locks down the IP addresses from which someone can modify these app settings to a specific range. Take care setting an IP Whitelist on residential broadband. If your IP address changes you will lose the ability to edit your app's settings.
Advanced > Update Notification Email notifies an email address whenever any app setting is changed in the App Dashboard.
Advanced > Stream post URL security this will stop your app from publishing any URLs that don't point back to a domain it owns. This will not always be useful, specifically if you know your app will publish links to other sites.


English (US)EspañolFrançais (France)Italiano中文(简体)Português (Brasil)Deutschالعربية日本語

Artificial Intelligence
Augmented Reality
Business Tools
Open Source
Social Integrations
Virtual Reality

Developer Circles
Startup Programs

Developer Support
Platform Status
Facebook for Developers Community Group

Success Stories
Facebook for Developers Page
Follow us

Follow us on FacebookFollow us on InstagramFollow us on TwitterFollow us on LinkedInFollow us on YouTube
Create Ad
Platform Policy
Privacy Policy
Facebook © 2020