This document refers to a feature that was added in PHP SDK v1.0.
PHP SDK Version

The cryptographically secure pseudo-random string generator interface for the Facebook SDK for PHP

The cryptographically secure pseudo-random string generator interface allows you to overwrite the default CSPRSG logic by coding to the Facebook\PseudoRandomString\PseudoRandomStringGeneratorInterface.


By default the SDK will attempt to generate a cryptographically secure random string using a number of methods. If a cryptographically secure method is not detected, a Facebook\Exceptions\FacebookSDKException will be thrown.

If your hosting environment does not support any of the CSPRSG methods used by the SDK or if you have preferred CSPRSG, you can provide your own CSPRSG to the SDK using this interface.

Caution: Although it is popular to use rand(), mt_rand() and uniqid() to generate random strings in PHP, these methods are not cryptographically secure. Since the pseudo-random string generator is used to validate against Cross-Site Request Forgery (CSRF) attacks, the random strings must be cryptographically secure. Only overwrite this functionality if your custom pseudo-random string generator is a cryptographically strong one.

An example of implementing a custom CSPRSG:

use Facebook\PseudoRandomString\PseudoRandomStringGeneratorInterface;

class MyCustomPseudoRandomStringGenerator implements PseudoRandomStringGeneratorInterface
   * @inheritdoc
  public function getPseudoRandomString($length)
    $randomString = '';

    // . . . Do CSPRSG logic here . . .

    return $randomString;

To enable your custom CSPRSG implementation in the SDK, you can set an instance of the generator to the pseudo_random_string_generator config of the Facebook\Facebook super service.

$fb = new Facebook\Facebook([
  // . . .
  'pseudo_random_string_generator' => new MyCustomPseudoRandomStringGenerator(),
  // . . .

Alternatively, if you're working with the Facebook\Helpers\FacebookRedirectLoginHelper directly, you can inject your custom generator via the constructor.

use Facebook\Helpers\FacebookRedirectLoginHelper;

$myPseudoRandomStringGenerator = new MyCustomPseudoRandomStringGenerator();
$helper = new FacebookRedirectLoginHelper($fbApp, null, null, $myPseudoRandomStringGenerator);

Method Reference


public string getPseudoRandomString(int $length)

Returns a cryptographically secure pseudo-random string that is $length characters long.