一为主题社交登录聚合登录QQ和微信授权后返回提示错误原创文章

问题描述：

一为主题设置了聚合登录后，使用QQ或者微信和其他登录方式时，可以正常打开和跳转QQ互联，但是结果返回提示：The state does not match. You may be a victim of CSRF. 的解决办法。

文章源自玩技e族-https://www.playezu.com/850482.html

排查过程：

1、找到回调文件 /wp-content/themes/onenav/inc/auth/prk-callback.php。文章源自玩技e族-https://www.playezu.com/850482.html

<?php
/*
 * @Author: iowen
 * @Author URI: https://www.iowen.cn/
 * @Date: 2022-06-19 16:23:07
 * @LastEditors: iowen
 * @LastEditTime: 2022-06-19 17:30:05
 * @FilePath: \onenav\inc\auth\prk-callback.php
 * @Description: 
 */

include_once('../../../../../wp-config.php');
if(!session_id()) session_start();

$type 		= isset($_GET['type'])?$_GET['type']:'qq';
$pyk 		= io_get_option('open_prk_key');
$pyk_config = array(
	'apiurl' 	=> $pyk['apiurl'],
	'appid' 	=> $pyk['appid'],
	'appkey' 	=> $pyk['appkey'],
	'state' 	=> $_SESSION ['state'],
	'callback' 	=> get_theme_file_uri('/inc/auth/prk-callback.php'),
);
if($_GET['code']){
	if($_GET['state'] != $_SESSION['state']){
		exit("The state does not match. You may be a victim of CSRF.");
	}
	unset($_SESSION['state']);
	$Oauth	= new ioLoginPrk($pyk_config);
	$arr 	= $Oauth->callback();
    $Oauth->use_db($arr,$_SESSION['rurl']);
}

2、找到请求日志：/www/wwwlogs/xxx.xxx.com.log，可以看到以下几点信息：文章源自玩技e族-https://www.playezu.com/850482.html

103.150.185.227 - - [10/Oct/2024:11:54:13 +0800] "GET /wp-content/themes/onenav/inc/auth/prk-callback.php?type=qq&code=xxxxxx&state=xxxxxxHTTP/2.0" 200 72 "https://graph.qq.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"

针对CSRF：

当前的问题出现在 $_GET['state'] 与 $_SESSION['state'] 不匹配时，导致了 The state does not match. You may be a victim of CSRF. 的错误提示。文章源自玩技e族-https://www.playezu.com/850482.html

检验代码：

在代码中可以通过以下方式检查 Session 的状态：
if (session_status() === PHP_SESSION_NONE) {
    echo "Session is not started.";
} else {
    echo "Session is started.";
}

结果为Session is not started.文章源自玩技e族-https://www.playezu.com/850482.html

检查环境：