[Fixed]-How to get rid of the #_=_ in the facebook redirect of django-social-auth?


Well, this may not be the exact solution, but adding following script to you head would help in fixing the problem:

<script type="text/javascript">
   if (window.location.hash == '#_=_') {
      window.location.hash = '';


Looks like Facebook always appends the ‘#_=_’ even if the redirect_uri is supplied. Since this behaviour is contrary to Facebook’s blog post this functionality has been submitted to Facebook as a bug. Facebook has provided an official response to this bug claiming that appending the ‘#_=_’ is a design feature that prevents a potential security flaw.

Facebook provides the following advice for dealing with the unwanted uri fragment, “If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.”

It appears that the javascript provided above is a valid solution, even if it is a bit hacky.


<script type="text/javascript">
    if (window.location.href.indexOf('#') > -1) {
        window.location.href = '/';

Leave a comment