public function testGetCodeWithInvalidCSRFState() { $csrf_cookie_name = FBCode::constructCSRFTokenCookieName(self::APP_ID); $_COOKIE[$csrf_cookie_name] = $this->generateMD5HashOfRandomValue(); $facebook = new FBCode(array( 'appId' => self::APP_ID, 'secret' => self::SECRET, )); $code = $_REQUEST['code'] = $this->generateMD5HashOfRandomValue(); $_REQUEST['state'] = $_COOKIE[$csrf_cookie_name]."forgery!!!"; $this->assertFalse($facebook->publicGetCode(), 'Expect getCode to fail, CSRF state should not match.'); }