I saw similar question Facebook Authentication Example CSRF and they say "The hash (or state) is generated by you for each request to the web service (Facebook) and stored in the session on your server. This hash is sent with the request to Facebook from your website. Facebook sends the exact same hash back as a parameter on the response."
Does it mean that without state at the SESSION the auth won't work?
A few months ago i made this type of login. It may probably work without it, but it is ABSOLUTELY NECESSARY to use that method for CSRF protection.