I was implementing Facebook Login on my site, and I found this error when Facebook Callbacks to my site with AccessToken.
Error: “Cross-site request forgery validation failed. The “state” param from the URL and session do not match.”

I searched on internet found some solutions like use session_start(), correcting the sequence which nothing worked for me. I checked in Chrome Debugger Network Panel and I found that favicon tag was not assigned and it was calling the same url again so, the facebook url created by the previous request was invalidated and new value for key “FBRLH_state” in session was generated. It was easy to fix the image which I did but as a permenant solution I implemented this flow.

1- Login Page: Create a static url in my site for Facebook Login (mysite.com/facebook-login) and set to the button “Login with Facebook”.
2- Facebook Login: generate the Facebook Login Url (mentioned in Facebook SDK Documentation) and redirected the request that url.
3- Facebook Callback: The standard way mentioned in Facebook SDK Documentation.
4- Happy Flow 🙂