I saw similar question Facebook Authentication Example CSRF and they say "The hash (or state) is generated by you for each request to the web service (Facebook) and stored in the session on your server. This hash is sent with the request to Facebook from your website. Facebook sends the exact same hash back as a parameter on the response."
Does it mean that without state at the SESSION the auth won't work?
See Question&Answers more detail:os